<no subject>

[Jeffrey Altman]

Sam Hartman wrote:
>>>>>>"Mark" == Mark Hendricks <mdh3 at humboldt.edu> writes:
> 
>     Mark> -e des:normal krbtgt/<AD><REALM>
> 
> I'm not sure what problem this is designed to fix, but it sounds like
> a bad idea from a security standpoint.  It will certainly mask a large
> class of configuration or interoperability problems.
> 
> But pretty much all the Kerberos implementations have advanced to a
> point where with even vaguely modern software, this sort of solution
> is unnecessary.

All the implementations except for the Java Kerberos implementation
and perhaps some implementation that Oracle might be shipping.

Not to say that forcing the use of des-cbc-crc is a good idea, its not.
Just pointing out that there are still interop problems based entirely
in the implemented set of enctypes.

Jeffrey Altman