Interop/Compat: 3DES used in AS-REP despite no client support

Jeffrey Altman jaltman2 at nyc.rr.com
Wed Dec 7 14:53:47 EST 2005


When creating or modifying the cross realm principals with
MIT kadmin, you must specify the list of enc:salt combinations
you wish created for that principal.

If you do not specify a list, the default list from kdc.conf
will be used.

You use the "-e enc:salt ..." option as documented here:

http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-admin/Adding-or-Modifying-Principals.html#Adding%20or%20Modifying%20Principals

For the cross-realm principals, if your Windows servers are pre 2003 
SP1, they must be restricted to DES-CBC-MD5 and DES-CBC-CRC.   If the
servers are 2003 SP1 and later you can also include RC4-HMAC.

You do not need to modify the enctypes for all client and service
principals, just those used for the cross realm relationships with
Windows domains.


More information about the Kerberos mailing list