Interop/Compat: 3DES used in AS-REP despite no client support

Brian Davidson bdavids1 at gmu.edu
Wed Dec 7 19:18:56 EST 2005 

You generally want to support all key types on your KDC.  You can 
restrict the key type from within kadmin:

kadmin: cpw -e "rc4-hmac:normal" krbtgt/AD.EXAMPLE.COM

Service principals should contain ONLY the key types supported by that 
service (i.e. rc4-hmac, des-cbc-md5, des-cbc-crc in the case of 
Windows).  User principals generally should contain ALL supported key 
types.  The client will send a list of supported key types to the KDC 
when requesting a service ticket.  The KDC compares that list with the 
key types available for the service.  The "strongest" (as specified by 
the client) key type is used for the session key.

The important bit is that the service you're connecting to is never 
asked what keys it supports.  The KDC assumes that all keys present on 
the KDC for that service are usable by the service.

RC4-HMAC is usable on Windows 2003 SP1, but you'll need to run:

ktpass -MitRealmName AD.EXAMPLE.COM -TrustEncryp RC4

after you have set up the trust, to get it to work.  You can ONLY (I'm 
95% sure) have an rc4-hmac key for the krbtgt/AD.EXAMPLE.COM principal.

You have to be careful with what key types are used for all of your 
host/*, krbtgt/*, ldap/*, etc principals.  The user principals should 
contain all key types supported by the KDC, unless you have a 
compelling reason not to and know what you're doing.


A ticket ends up using 3 keys, which may all be different key types:

1. shared session key - this is randomly generated by the KDC.  It must 
be a key type supported by both the client and the service.

2. client's key - The client must support this key type, and the 
principal must have a key of this type in the KDC.  Your password gets 
converted to this key during kinit, for example.

3. service's key - known by the server you're connecting to, and the 
KDC.

There are 2 copies of the shared session key.  One gets encrypted with 
the client's key, the other gets encrypted with the service's key.  It 
is entirely possible for 3 different types of keys to be used.  If user 
principals have keys of all possible types, and service principals only 
have keys of supported key types, it all works.

Windows 2003 R2 is supposed to add support for aes-128 and aes-256.  I 
don't know if that will be usable for cross-realm trusts or not.  Until 
SP1, rc4-hmac couldn't be used, even though it was a supported enctype 
for user and host principals...

Windows 2003 SP1 breaks kerberos authentication with Terminal Services. 
  Microsoft has a patch, KB902336 for this problem.  That KB article 
isn't public, but they should be able to provide you with a patch if 
you call and ask for it.

Brian Davidson
George Mason University

On Dec 7, 2005, at 12:48 PM, Matt wrote:

> Thank you for that info.
>
> I was able to solve the immediate problem by adding permitted_enctypes
> = rc4-hmac des-cbc-md5 des-cbc-crc to the [libdefaults] section of
> kerb5.conf. This caused DES to be used for all enc-parts and did allow
> the Windows KDC to issue a service ticket. This causes another problem,
> though, which is that I am unable to restart kadmind with the error: No
> matching key in entry having a permitted enctype
>
> Based on your statements, it would seem that a superior solution would
> be to ensure that for all the principals I create (user principals and
> the cross realm krbtgt/A.A at X.X) only RC4 and DES keys should be created
> and stored.
>
> How can I accompish this? I would be happy to recreate the principals
> after changing a setting, but I can't seem to find this configuration.
>
> With no enctype restrictions set anywhere, I would think that every MIT
> supported key type would be created and stored upon principal creation
> (ank <principal> within kadmin). But at present it seems that on my
> system only 3DES and DES keys are created, never RC4. My indications
> that this is happening are 1) If I create a principal (while no enctype
> restrictions are in place), and then try to authenticate that principal
> on a clinet which requests DES and RC4, DES (and 3DES for the first enc
> part) is always used in the response, never RC4. Also, if I use ktadd
> to export a keytab for that principal, only 3DES and DES keys are
> exported, never RC4. This leads me to believe that RC4 keys are never
> generated.
>
> Given that this is a Windows interop scenario, I think that I would
> want the MIT KDC and/or kadmin to create and store RC4 and DES (and no
> other) keys for all principals that I create. So far in my fumbling
> inexperience I have not been able to accomplish this. I tried to
> accomplish this by setting the supported_enctypes for the realm in
> kdc.conf to rc4-hmac des-cbc-md5:normal des-cbc-crc:normal but after
> restarting and creating a new principal, it still appears to store only
> 3DES and DES keys.
>
> Help!
>
> Thanks
>
> -Matt
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list