Ticket enctype question

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Aug 31 14:20:59 EDT 2006

>An interesting interoperability wrinkle arises if you have any Windows
>2K/XP machines with native kerberos libraries (not KfW) pointed at
>your MIT KDC for authentication.  In my experiments a few months ago,
>such machines *fail* to get tickets if the first enctype listed in the
>KDC's 'supported_enctypes' is not 'des-cbc-crc:normal'.
>In other words, when I tried reversing the order of 'supported_enctypes'
>like this:
>    supported_enctypes = aes256-cts:normal des3-cbc-sha1:normal \
>        des-cbc-crc:normal

Hrm.  I've definately made it work without des-cbc-crc in the front.

>I found that native windows clients could no longer authenticate to the
>KDC.  Perhaps Vista will support enctypes other than single DES...

Didn't try arcfour, did you?


More information about the Kerberos mailing list