some cross-realm trust questions

Mark Pröhl mark at
Sat Jan 1 10:21:26 EST 2011

On 12/28/2010 06:02 PM, Victor Sudakov wrote:
> Russ Allbery wrote:
> [dd]
>>> But it still escapes me how on earth I will end up with
>>> having the same key. There is nothing in the above articles about
>>> exporting and importing keytabs.
>> You use a password.  Enter the same password on both sides when creating
>> the key, and then be sure to remove any extraneous enctypes on the Heimdal
>> side that AD isn't configured to provide.
> Do you mean to say that the key derivation algorithm is the same in
> Heimdal and in MS AD? The same password will yield the same key
> anywhere, in any Kerberos implementation?
> And BTW how do I figure out what enctypes AD is configured to provide?
> Is there anything like "kadmin get" for AD?
In Windows 2008 R2 the encryption types of inter-realm keys can
be configured with ksetup.exe.  Cross realm trusts to kerberos
realms use rc4 inter realm keys by default. To change this to aes256
you can use the following command on a domain controller:

     ksetup.exe /SetEncTypeAttr MIT.REALM AES256-CTS-HMAC-SHA1-96

("MIT.REALM" is the name of the MIT Kerberos realm)

More information about the Kerberos mailing list