Encryption key type order w. windows auth?

Jeffrey Hutzelman jhutz at cmu.edu
Fri Jun 18 11:37:56 EDT 2004



On Thursday, June 17, 2004 21:49:34 -0400 David Botsch 
<dwb7 at ccmr.cornell.edu> wrote:

> Ok... however, since Windows can come up with the other string to key
> algorithm, why does authentication not work?

Because when it constructs an AS-REP, the KDC gets to choose which of the 
user's keys will be used, subject only to constraints the client provides 
about what enctypes it can handle.  There's no way for the client to say "I 
can't handle the AFS string-to-key; don't use it", so the KDC is free to 
choose that key.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA



More information about the Kerberos mailing list