cross-realm with windows 2k3 ad
Douglas E. Engert
deengert at anl.gov
Sun Jun 19 20:48:06 EDT 2011
On 6/19/2011 7:06 AM, Mark Davies wrote:
> On Saturday 18 June 2011 06:08:33 Douglas E. Engert wrote:
>>> surely the rc4-hmac type should be supported?
>>
>> Yes it should be. But when you setup the cross realm trust,
>> did W2K3 assume the MIT realm could only do DES?
>> Id the des-only bit on in the TGT account in AD?
>
> How does one check in AD? and change it if it is?
Check the userAccountControl attribute of the cross realm TGT
look for USE_DES_KEY_ONLY = 2097152, i.e. 0x200000
http://support.microsoft.com/kb/305144
>
>> DES is off by default in most Kerberos and W2008.
>
> That I knew, but don't know anything about the "des-only bit".
>
> cheers
> mark
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list