Interop/Compat: 3DES used in AS-REP despite no client support
Jeffrey Altman
jaltman2 at nyc.rr.com
Wed Dec 7 14:53:47 EST 2005
When creating or modifying the cross realm principals with
MIT kadmin, you must specify the list of enc:salt combinations
you wish created for that principal.
If you do not specify a list, the default list from kdc.conf
will be used.
You use the "-e enc:salt ..." option as documented here:
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-admin/Adding-or-Modifying-Principals.html#Adding%20or%20Modifying%20Principals
For the cross-realm principals, if your Windows servers are pre 2003
SP1, they must be restricted to DES-CBC-MD5 and DES-CBC-CRC. If the
servers are 2003 SP1 and later you can also include RC4-HMAC.
You do not need to modify the enctypes for all client and service
principals, just those used for the cross realm relationships with
Windows domains.
More information about the Kerberos
mailing list