UNIX GSS-API / Windows SSPI :
Douglas E. Engert
deengert at anl.gov
Fri Sep 17 15:25:28 EDT 2004
Jacques Lebastard wrote:
> Jeffrey Altman wrote:
>>There is no need to nor should you set the tkt and tgs enctypes.
>>MIT Kerberos 1.3 and higher support all of the enctypes used by
>>the Windows Kerberos SSPI.
>>If your service is running on Unix, then you must make sure that
>>you create a keytab containing entries for each of the keys that
>>Windows can produce for the SPN. (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC).
>>The DES enctypes will only be used if the account associated with
>>the SPN is marked DES only.
> How can I check this and, second question, how can I generate a keytab
> with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC
> crypto type:
If you knew the password (or key) added to AD, you could try using ktutil,
instead of ktpass.
Use addent ... -e arcfour-hmac-md5
Ktutil let me create a keytab, I don't know if is correct.
> [- /] crypto : Cryptosystem to use
> [- /] crypto : is one of:
> [- /] crypto : DES-CBC-CRC : for compatibility
> [- /] crypto : DES-CBC-MD5 : default
> Trying '-crypto RC4-HMAC' indicates that the SPN is marked for DES only
> ! How can I modify this ?
> Thanks for your help,
>>Jacques Lebastard wrote:
>>>our client/server application uses either SSPI (Windows) or GSS-API
>>>(UNIX) in order to establish a secure context.
>>>In order to make it work properly, I had to set specific encryption
>>>types in the krb5.conf file of the UNIX server:
>>> default_tkt_enctypes = des-cbc-md5
>>> default_tgs_enctypes = des-cbc-md5
>>>Does that mean that the established session keys are DES 64 bits
>>>*ONLY* ? It sounds like a weak encryption...
>>>Are any other encryption types compatible between MIT and Windows
>>>2000/2003 (native) Kerberos implementations ?
> Kerberos mailing list Kerberos at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos