upgrade the inter-realm trust key to AES (Giuseppe Mazza)

Giuseppe Mazza g.mazza at imperial.ac.uk
Wed May 27 09:37:39 EDT 2015 

On 10/04/15 17:23, kerberos-request at mit.edu wrote:
> I would like to upgrade my inter-realm trust key from DES to AES.
>
> My current situation is
> i] Domain IC.AC.UK (Windows Server 2012): I have no access to it. People
> from College manage it.
>
> Users in IC.AC.UK (Windows) can login and use services in DOC.IC.AC.UK
> (Linux).
>
> ii] Realm DOC.IC.AC.UK (Ubuntu14.04)

> My College counterpart, i.e. the Windows person from College, tells me
> that it will be enough to enable (via GP) the AES enctype for the
> inter-realm trust key on the Windows side.
>
> However I am a bit concerned: our inter-realm trust is very old and was
> created when no AES support existed in Windows.
> They have upgraded through the different versions of Windows Server upto
> the 2012 one, but the inter-realm trust has remained the same since it
> was created.
> My naive understanding is that the AES inter-realm trust key will works
> only if
> - the actual AES key exists
> - the AES enctype is enabled
>
> Is it plausible there is no AES key on their Windows DCs?
>

Please find the answer to my previous question (just in case someone has 
my same problem):

https://technet.microsoft.com/en-us/library/ff646918(v=ws.10).aspx

In particular
====
- Issue
At one time the user account or trust was running on an operating 
system, Java platform, or Kerberos version that did not support RC4. 
Therefore, the account was changed to support DES only. This also 
applies to trusts with older, non-Windows Kerberos realms. Even if the 
operating system or platform was upgraded to support RC4 or Advanced 
Encryption Standard (AES), the account does not update automatically and 
is still using only DES.


- Resolution
If the computer that hosts the account is running a recent version of a 
non-Windows operating system or Java platform, removing the DES-only 
property from the user account allows other encryption types to be used. 
If the account was created before the domain functional level was 
Windows Server 2008, two things must be done to support AES:

     Change the service account password to create an AES key.

     Set AES 128-bit and 256-bit encryption support for the service account.
====

Hope it helps,
Giuseppe

More information about the Kerberos mailing list