some cross-realm trust questions
Russ Allbery
rra at stanford.edu
Tue Dec 28 14:35:41 EST 2010
Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> writes:
> Russ Allbery wrote:
>> You use a password. Enter the same password on both sides when creating
>> the key, and then be sure to remove any extraneous enctypes on the Heimdal
>> side that AD isn't configured to provide.
> Do you mean to say that the key derivation algorithm is the same in
> Heimdal and in MS AD? The same password will yield the same key
> anywhere, in any Kerberos implementation?
Of course. Otherwise, you couldn't authenticate with a password to a
Kerberos KDC provided by a different implementation.
> And BTW how do I figure out what enctypes AD is configured to provide?
> Is there anything like "kadmin get" for AD?
I don't know, personally, having not administered AD myself, but I know
that information is available from the AD admin interface. Current
Windows supports 256-bit AES, 128-bit AES, RC4, and DES (although DES I
think is disabled by default). Older Windows only supports RC4 and DES.
I don't believe any version of Windows has ever supported 3DES.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list