step by step guide for Windows 2003 Server and MIT Kerberos trust?

Luke Howard lukeh at PADL.COM
Sat Jun 12 23:04:31 EDT 2004

>This is exactly what is happening.  Active Directory contains a password 
>and a set of string to key algorithms.  The Microsoft version of 
>Kerberos will always generate keys on the fly.

Active Directory stores keys, not passwords, for Kerberos (although the
cleartext password can be stored if the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
bit is set on an account, this is not necessary for Kerberos).

The Local Security Authority on a domain member does contain the machine
trust account password, from which keys are generated using the appropriate
string to key algorithm. I think it is this to which you were referring?

-- Luke

More information about the Kerberos mailing list