Config for enctypes on *recieved* service tickets
Jeffrey Altman
jaltman2 at nyc.rr.com
Thu Sep 29 13:07:48 EDT 2005
Matt wrote:
> So, to sum up, if I am failing to accept service tickets that I am
> recieving as described above with error 31 BAD_INTEGRITY, do you think
> I should add a "permitted_enctypes" entry with the relevant ciphers(The
> Windows KDC appears to be using RC4-HMAC or DES-CBC-MD5, depending on
> configuration), or am I barking up the completely wrong tree?
You do not want to restrict the enctypes that can be used.
You need to make sure that you have key tab entries for all combinations
of service name, kvno, and enctype that are being received by the
service. A Bad Integrity error is most likely the result of having
the wrong key in the keytab entry.
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list