some cross-realm trust questions
Wilper, Ross A
rwilper at stanford.edu
Tue Dec 28 16:34:17 EST 2010
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Nicolas Williams
Sent: Tuesday, December 28, 2010 11:58 AM
To: Victor Sudakov
Cc: kerberos at mit.edu
Subject: Re: some cross-realm trust questions
Our adjoin[0] script (which was referenced in a BigAdmin paper by Baban
Kenkre[1]) implements a heuristic to detect what enctypes are available
based on, IIRC, trying to add an LDAP attribute named
"msDS-SupportedEncryptionTypes" to the machine account object. Failure
denotes older AD supporting 1DES and RC4 only; success denotes support
for AES-128 and AES-256.
This is actually a bit dangerous. If an Active Directory has the schema upgraded to Windows 2008 or later, but not all domain controllers have been upgraded to Windows 2008 or later, then this will give the wrong response.
The rough list of trust enctypes supported by Windows:
AES256 Windows 2008 and later
AES128 Windows 2008 and later
RC4-HMAC Windows 2003 and later
DES-MD4 Windows 2000 and later, off by default in 2008+
DES-CBC Windows 2000 and later, off by default in 2008+
Windows 2000 uses DES-CBC by default for cross-realm trusts
Windows 2003 and later use only RC4-HMAC by default.
Windows 2008 and later support setting multiple enctypes using msDS-SupportedEncryptionTypes on the trust object in LDAP.
There is a much longer discussion about this on the ActiveDir mailing list.
-Ross
More information about the Kerberos
mailing list