AD Cross Realm Trust Integration

John Harris harris at ucdavis.edu
Wed Apr 27 12:52:19 EDT 2005


Greetings again,

> 
> Windows server support for cross realm trusts using RC4 keys was added
> to 2003 SP1.   When you are ready to install it, you can upgrade your
> cross realm keys to RC4.

Gotcha...I was hoping this would be the case.  Now if I can only 
convince the 800 departments on campus to upgrade :)

> 
> 
>>So I'm curious as to how others are handling this particular situation:
>>
>>1) Manually keeping Microsoft-dependent tickets encrypted at only DES
> 
> 
> Everything for Microsoft should be at RC4 unless you are using Kerberos
> stacks which are DES only.
> 
Like Windows 2000 forests (blech)

> 
>>2) Having multiple encryption types per service ticket
> 
> 
>>3) Running separate Unix and Microsoft KDCs
> 
> 
> Now I am not sure I understand the question.

You understood it.  This third option is one we're kicking around so we 
can use a Unix KDC with ONLY AES encryption for everything and then have 
a separate Windows KDC that the Active Directory projects on campus 
would use.  Meaning not everyone would have a AD account; only those who 
are using the AD centralized services.  The rest of campus and GSSAPI 
supported apps would point to the other one.

Which brings me to an ignorance question; if we can use RC4 now in 
Windows 2003, is it more insecure (realistically) than AES, or if we 
moved to just RC4 and kept ONE centralized KDC, would that be 
sufficiently secure?

Thanks for your quick response and knowledge as always Jeff.

J


More information about the Kerberos mailing list