AD Cross Realm Trust Integration
Jeffrey Altman
jaltman2 at nyc.rr.com
Tue Apr 26 16:32:54 EDT 2005
John Harris wrote:
> Greetings,
>
> We're currently looking at increasing the session and ticket encryption
> types for our Unix-based Kerberos clients (command-line and GSSAPI-based
> client/web clients) up to AES.
>
> One of our issues is to continue to support the cross-realm authentication
> with Windows KDCs on campus. As far as I know, Microsoft's KDC's support
> DES and RC4 and that's it.
Windows server support for cross realm trusts using RC4 keys was added
to 2003 SP1. When you are ready to install it, you can upgrade your
cross realm keys to RC4.
> So I'm curious as to how others are handling this particular situation:
>
> 1) Manually keeping Microsoft-dependent tickets encrypted at only DES
Everything for Microsoft should be at RC4 unless you are using Kerberos
stacks which are DES only.
> 2) Having multiple encryption types per service ticket
> 3) Running separate Unix and Microsoft KDCs
Now I am not sure I understand the question.
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list