Jeffrey Altman jaltman2 at nyc.rr.com
Tue Sep 14 13:10:54 EDT 2004

There is no need to nor should you set the tkt and tgs enctypes.
MIT Kerberos 1.3 and higher support all of the enctypes used by
the Windows Kerberos SSPI.

If your service is running on Unix, then you must make sure that
you create a keytab containing entries for each of the keys that
Windows can produce for the SPN.  (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC).
The DES enctypes will only be used if the account associated with
the SPN is marked DES only.

Jeffrey Altman

Jacques Lebastard wrote:

> Hi there,
> our client/server application uses either SSPI (Windows) or GSS-API 
> (UNIX) in order to establish a secure context.
> In order to make it work properly, I had to set specific encryption 
> types in the krb5.conf file of the UNIX server:
> [libdefaults]
>         default_tkt_enctypes = des-cbc-md5
>         default_tgs_enctypes = des-cbc-md5
> Does that mean that the established session keys are DES 64 bits *ONLY* 
> ? It sounds like a weak encryption...
> Are any other encryption types compatible between MIT and Windows 
> 2000/2003 (native) Kerberos implementations ?

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list