step by step guide for Windows 2003 Server and MIT Kerberos trust?

Jeffrey Altman jaltman2 at
Wed Jun 9 21:53:35 EDT 2004

Douglas E. Engert wrote:
> "D. Schikora" wrote:
>>Is there anywhere one guide for Kerberos and Windows 2003 Server. I can only
>>find the old one for W2K and I hope there are some changes between W2K and
> Not that I know of.  Note that when you use ktpass command and use the DesOnly
> flag, this is saved in the AD. 2000 will the use an enctype of des-cbc-crc, 
> where as 2003 will use des-cbc-md5 when generating tickets for a server.
> What this means is that you may need to have two keys in a server's keytab if you are 
> converting from 2000 to 2003. one for each enctype. They both have the same key, and 
> kvno but different enctypes.
> (Microsoft should have had two flags.)

The change in Windows 2003 was not to use DES-CBC-MD5 instead of 
DES-CBC-CBC.  The change was to use the stronger encryption type 
requested by the client instead of the first encryption type requested 
by the client.  If the client removes DES-CBC-MD5 from the 
permitted_enctypes list, Windows 2003 will issue a DES-CBC-CRC ticket.

Jeffrey Altman

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list