some cross-realm trust questions

Victor Sudakov vas at
Fri Jan 7 01:20:03 EST 2011

Mark Pr?hl wrote:


> > And BTW how do I figure out what enctypes AD is configured to provide?
> > Is there anything like "kadmin get" for AD?
> >
> In Windows 2008 R2 the encryption types of inter-realm keys can
> be configured with ksetup.exe.  Cross realm trusts to kerberos
> realms use rc4 inter realm keys by default. To change this to aes256
> you can use the following command on a domain controller:

>      ksetup.exe /SetEncTypeAttr MIT.REALM AES256-CTS-HMAC-SHA1-96

> ("MIT.REALM" is the name of the MIT Kerberos realm)

Thank you, I'll save it for future reference. For the present however
I have to deal with win2000 and win2003 domain controllers. It is
strange that there is no kadmin snapin or any other graphical KDC
administration tool.

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet

More information about the Kerberos mailing list