Jacques Lebastard jacques.lebastard at evidian.com
Fri Sep 17 13:16:47 EDT 2004

Jeffrey Altman wrote:

> There is no need to nor should you set the tkt and tgs enctypes.
> MIT Kerberos 1.3 and higher support all of the enctypes used by
> the Windows Kerberos SSPI.
> If your service is running on Unix, then you must make sure that
> you create a keytab containing entries for each of the keys that
> Windows can produce for the SPN.  (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC).
> The DES enctypes will only be used if the account associated with
> the SPN is marked DES only.

How can I check this and, second question, how can I generate a keytab 
with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC 
crypto type:

[- /]       crypto : Cryptosystem to use
[- /]       crypto :  is one of:
[- /]       crypto : DES-CBC-CRC : for compatibility
[- /]       crypto : DES-CBC-MD5 : default

Trying '-crypto RC4-HMAC' indicates that the SPN is marked for DES only 
! How can I modify this ?

Thanks for your help,

> Jacques Lebastard wrote:
>> Hi there,
>> our client/server application uses either SSPI (Windows) or GSS-API 
>> (UNIX) in order to establish a secure context.
>> In order to make it work properly, I had to set specific encryption 
>> types in the krb5.conf file of the UNIX server:
>> [libdefaults]
>>         default_tkt_enctypes = des-cbc-md5
>>         default_tgs_enctypes = des-cbc-md5
>> Does that mean that the established session keys are DES 64 bits 
>> *ONLY* ? It sounds like a weak encryption...
>> Are any other encryption types compatible between MIT and Windows 
>> 2000/2003 (native) Kerberos implementations ?

More information about the Kerberos mailing list