problem with the cross-realm, any help?

Wilper, Ross A rwilper at stanford.edu
Wed Aug 25 11:11:49 EDT 2010


Create a new GPO on the "Domain Controllers" OU

Computer Policy/Policies/Windows Settings/Security Settings/Local Polices/Security Options

If the MIT side has all of those enctypes enabled and the trust accounts have keys for all of those enctypes, then you won't need this.

By default, a new realm trust from Windows 2008 and later domain will use only RC4-HMAC encryption. Selecting "The other realm supports AES" in the GUI turns off RC4 and enables AES256 and AES128. You can use the ksetup command on a DC to set what enctypes are used for the trust to something more specific than these two options.

ksetup /SetEncTypeAttr <realm> <enctypes>

-Ross

From: c f [mailto:claudiawhf at gmail.com]
Sent: Wednesday, August 25, 2010 2:46 AM
To: Wilper, Ross A
Cc: kerberos at mit.edu
Subject: Re: problem with the cross-realm, any help?

Hi Ross,
On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A <rwilper at stanford.edu<mailto:rwilper at stanford.edu>> wrote:
You mention allowing the DES enctypes on the Windows 7 box? Is that the only common enctype available between the MIT realm and Windows? (AES256, AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
I have all these enctypes enabled in fact.

If so, you will need to have DES enabled on the domain controller also. This is most easily done (for all machines) using a group policy

"Network Security: Configure Encryption types allowed for Kerberos"

I have not found this group policy in a Windows Server 2008.





More information about the Kerberos mailing list