step by step guide for Windows 2003 Server and MIT Kerberos trust?
Luke Howard
lukeh at PADL.COM
Sat Jun 12 23:04:31 EDT 2004
>This is exactly what is happening. Active Directory contains a password
>and a set of string to key algorithms. The Microsoft version of
>Kerberos will always generate keys on the fly.
Active Directory stores keys, not passwords, for Kerberos (although the
cleartext password can be stored if the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
bit is set on an account, this is not necessary for Kerberos).
The Local Security Authority on a domain member does contain the machine
trust account password, from which keys are generated using the appropriate
string to key algorithm. I think it is this to which you were referring?
-- Luke
More information about the Kerberos
mailing list