Ticket enctype question

Ben Poliakoff benp at reed.edu
Thu Aug 31 14:16:57 EDT 2006

* Ken Hornstein <kenh at cmf.nrl.navy.mil> [20060831 10:40]:
> >We're in the process of enabling additional enctypes in a K5 realm that
> >previously only had DES keys.  Our kdc.conf file now reads (in part):
> >
> >master_key_type    = des-cbc-crc
> >supported_enctypes = des-cbc-crc:normal des3-cbc-sha1:normal aes256-cts:normal
> There's a implied preference order to the keys listed in
> supported_enctypes.  If you want AES to be used for tickets (when
> possible, of course), you should list that first.
> (For session keys, the list send by the client is used as the preference
> order).

An interesting interoperability wrinkle arises if you have any Windows
2K/XP machines with native kerberos libraries (not KfW) pointed at
your MIT KDC for authentication.  In my experiments a few months ago,
such machines *fail* to get tickets if the first enctype listed in the
KDC's 'supported_enctypes' is not 'des-cbc-crc:normal'.

In other words, when I tried reversing the order of 'supported_enctypes'
like this:

    supported_enctypes = aes256-cts:normal des3-cbc-sha1:normal \

I found that native windows clients could no longer authenticate to the
KDC.  Perhaps Vista will support enctypes other than single DES...

Has anyone else seen this?


More information about the Kerberos mailing list