some cross-realm trust questions

Wilper, Ross A rwilper at stanford.edu
Tue Dec 28 16:34:17 EST 2010


-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Nicolas Williams
Sent: Tuesday, December 28, 2010 11:58 AM
To: Victor Sudakov
Cc: kerberos at mit.edu
Subject: Re: some cross-realm trust questions


Our adjoin[0] script (which was referenced in a BigAdmin paper by Baban
Kenkre[1]) implements a heuristic to detect what enctypes are available
based on, IIRC, trying to add an LDAP attribute named
"msDS-SupportedEncryptionTypes" to the machine account object.  Failure
denotes older AD supporting 1DES and RC4 only; success denotes support
for AES-128 and AES-256.  

This is actually a bit dangerous. If an Active Directory has the schema upgraded to Windows 2008 or later, but not all domain controllers have been upgraded to Windows 2008 or later, then this will give the wrong response. 

The rough list of trust enctypes supported by Windows:

AES256	Windows 2008 and later
AES128	Windows 2008 and later
RC4-HMAC	Windows 2003 and later
DES-MD4	Windows 2000 and later, off by default in 2008+
DES-CBC	Windows 2000 and later, off by default in 2008+

Windows 2000 uses DES-CBC by default for cross-realm trusts
Windows 2003 and later use only RC4-HMAC by default.

Windows 2008 and later support setting multiple enctypes using msDS-SupportedEncryptionTypes on the trust object in LDAP.

There is a much longer discussion about this on the ActiveDir mailing list.

-Ross




More information about the Kerberos mailing list