step by step guide for Windows 2003 Server and MIT Kerberos trust?

Douglas E. Engert deengert at
Thu Jun 10 08:47:45 EDT 2004

Jeffrey Altman wrote:

> Douglas E. Engert wrote:
> >
> > "D. Schikora" wrote:
> >
> >>Hallo
> >>
> >>Is there anywhere one guide for Kerberos and Windows 2003 Server. I can only
> >>find the old one for W2K and I hope there are some changes between W2K and
> >>W2K3.
> >
> >
> >
> > Not that I know of.  Note that when you use ktpass command and use the DesOnly
> > flag, this is saved in the AD. 2000 will the use an enctype of des-cbc-crc,
> > where as 2003 will use des-cbc-md5 when generating tickets for a server.
> > What this means is that you may need to have two keys in a server's keytab if you are
> > converting from 2000 to 2003. one for each enctype. They both have the same key, and
> > kvno but different enctypes.
> >
> > (Microsoft should have had two flags.)
> The change in Windows 2003 was not to use DES-CBC-MD5 instead of
> DES-CBC-CBC.  The change was to use the stronger encryption type
> requested by the client instead of the first encryption type requested
> by the client.  If the client removes DES-CBC-MD5 from the
> permitted_enctypes list, Windows 2003 will issue a DES-CBC-CRC ticket.

That does sound like a better explanation but the problem and resolution is the same.

The AD should know what types are acceptable to the SERVER and select one
of these which is in the list provided by the client, or ignore the client or fail.

 I have seen cases where one has had to add a extra entry to the keytab file with
enctype for des-cbc-md5 even though there was a entry for des-cbc-crc.

This may stem for the fact that AD stores a password and can generate a key for any
enctype from  it, where as MIT and Heimdal store the keys when added be kadmin
and might be different keys.

It could also stem from  AD assuming DES is DES and if you have a key for
des-cbc-crc you have the key for des-cbc-md5. I don't think the  MIT or Heimdal
code if it fails to find a keytab entry for des-cbc-md5 will try and look for a des-cbc-crc
key. This only makes sense if you also assume the DES key would be the same. With AD
this is the case, with MIT or Heimdal it is not.

The point being that if you upgrade from 2000 to 2003 you may have to add additional
keytab entries.

Another issue is that 2003 stores a KVNO and will return it rather then just 0 or 1
used be 2000. So you may need to add other keytab entries with the correct KVNO. .

> Jeffrey Altman
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

More information about the Kerberos mailing list