Getting single DES TGT[was Re: KDC: upgrade to 3DES]

[Jeffrey Altman]

Craig Huckabee wrote:
> 
>   I did some testing last night on a demo realm I have on a private
> network - whatever enctype is listed first for the krbtgt principal is
> the one selected for the tkt no matter what the client asks for.  The
> skey gets selected as expected when default_tgs_enctypes is used.

The client should never be able to influence the choice of the
enctype of the service ticket.  That is a decision made by the
KDC based upon its most preferred enctype for which there is an
entry for the service principal.  It is the responsibility of the
Kerberos administrator to only assign enctypes to service principals
that the service can understand.

The choice of the enctype used to protect the response to the client is
made by the KDC.  It uses its most preferred enctype that is supported
by the client.

The choice of session key enctype can be requested by the client
application.

Jeffrey Altman

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu