Ticket enctype question
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Aug 31 14:20:59 EDT 2006
>An interesting interoperability wrinkle arises if you have any Windows
>2K/XP machines with native kerberos libraries (not KfW) pointed at
>your MIT KDC for authentication. In my experiments a few months ago,
>such machines *fail* to get tickets if the first enctype listed in the
>KDC's 'supported_enctypes' is not 'des-cbc-crc:normal'.
>
>In other words, when I tried reversing the order of 'supported_enctypes'
>like this:
>
> supported_enctypes = aes256-cts:normal des3-cbc-sha1:normal \
> des-cbc-crc:normal
Hrm. I've definately made it work without des-cbc-crc in the front.
>I found that native windows clients could no longer authenticate to the
>KDC. Perhaps Vista will support enctypes other than single DES...
Didn't try arcfour, did you?
--Ken
More information about the Kerberos
mailing list