cross-realm with windows 2k3 ad
Douglas E. Engert
deengert at anl.gov
Mon Jun 20 09:58:27 EDT 2011
On 6/19/2011 8:55 PM, Mark Davies wrote:
> On Mon, 20 Jun 2011, Douglas E. Engert wrote:
>>> How does one check in AD? and change it if it is?
>>
>> Check the userAccountControl attribute of the cross realm TGT
>> look for USE_DES_KEY_ONLY = 2097152, i.e. 0x200000
>> http://support.microsoft.com/kb/305144
>
> But how do you find the cross realm TGT object in something that will
> let you look at userAccountControl? I don't have direct access to
> the AD so need to tell the admins there where to go and what to
> change.
OK, AD does not store the krbtgt as a principal, but this artical on setting
up trust might help. Note the use of the enctype on ktpass, and use the
correct ktpass for 2003. It for Heimdal which can have the same problem"
"Windows 2003RC2: maximum encryption type is RC4, relationship defaults to DES"
http://www.h5l.org/manual/HEAD/info/heimdal/Inter_002dRealm-keys-_0028trust_0029-between-Windows-and-a-Heimdal-KDC.html
>
>
> cheers
> mark
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list