Interop/Compat: 3DES used in AS-REP despite no client support

Chaskiel M Grundman cg2v at andrew.cmu.edu
Tue Dec 6 16:50:53 EST 2005


The enc-part of the ticket only matters to the service that it will be 
presented to (in this case, the MIT kdc). The MIT kdc is acting correctly. 
the enc-part of the AS-REP itself is des-cbc-md5


> Later, when the XP machine approaches
> the Windows KDC about a service ticket, the Windows KDC rejects the
> request with an ENCTYPE error. I believe that this may be due to the
> inclusion of the 3DES encrypted block in the TGS-REQ.

This is probably because the krbtgt/A.A at X.X entry in the X.X realm includes 
a key with the 3des enctype. You need to remove that key. I don't know how 
to do that for an MIT kdc.

The client's enctype preference *only* affects the following:
- the enctype of any enc-part that the client needs to decrypt (which does 
not include any enc part embedded in a ticket)
- the enctype of the session key.

The way that the kdc identifies what enctypes the server supports is based 
entirely on what keys the server's principal has in the kdc's datbase.


More information about the Kerberos mailing list