Encryption key type order w. windows auth?

Sam Hartman hartmans at MIT.EDU
Tue Jun 22 07:02:27 EDT 2004

>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at cmu.edu> writes:

    Jeffrey> You should not depend on the "ordering" you're seeing
    Jeffrey> here; logically, it's an unordered set.  If you have
    Jeffrey> Windows users, they will need to not have AFS-salted
    Jeffrey> keys.

Last time I checked the keys in the kdb are very much an ordered set,
or at least there is a distinguished key used for requests without
preauthentication and a distinguished key used by the KDC for a
principal as a server and our implementation selects these
distinguished keys based on order.

You have several options for fixing the problem:

* Set the preauth_required attribute and make sure you have a 1.3.x KDC.
* Order the keys so the afs3 keys and v4 salted keys come last.

More information about the Kerberos mailing list