upgrade the inter-realm trust key to AES

Todd Grayson tgrayson at cloudera.com
Wed May 27 10:42:08 EDT 2015

You delete and re-establish the trust from the AD side, which will apply
domain defaults to the trust.  You can use the /remove switch in the netdom
trust command, instead of /add, see the docs from the technet link below.

The following config will render one way cross realm trust where the MIT
ream will trust users authenticated by AD for access to kerberos protected

On a AD Domain Controller, set "TrustPassword" to the shared password you
will use on both the AD and MIT side for the cross realm krbtgt/ principal.

c:\Users\Administrator> netdom trust MIT.EXAMPLE.COM /Domain:AD.EXAMPLE.COM
/add /realm /passwordt:TrustPassword


ksetup /SetEncTypeAttr MIT.EXAMPLE.COM <enc_type>


For AES encryption, replace <enc_type> with AES256-CTS-HMAC-SHA1-96 or
AES128-CTS-HMAC-SHA1-96 and for RC4 encryption, replace with RC4-HMAC-MD5.
You can list multiple enc types through space delimited list on the command
line, see the technet link above for details.

Then on your MIT kdc side you need to create a proper cross realm principal
(delete the current and replace with a known correct one)

(from within kadmin or kadmin.local as an administrator)

kadmin: addprinc -e "aes256-cts:normal aes128-cts:normal rc4-hmac:normal"

When prompted for the "password" provide the same "TrustPassword" you set
in the netdom trust command.

On Fri, Apr 10, 2015 at 8:28 AM, Giuseppe Mazza <g.mazza at imperial.ac.uk>

> Dear All,
> I would like to upgrade my inter-realm trust key from DES to AES.
> My current situation is
> i] Domain IC.AC.UK (Windows Server 2012): I have no access to it. People
> from College manage it.
> Users in IC.AC.UK (Windows) can login and use services in DOC.IC.AC.UK
> (Linux).
> ii] Realm DOC.IC.AC.UK (Ubuntu14.04): I have got full control on it
> I have got the keys below:
> kadmin:  get_principal krbtgt/DOC.IC.AC.UK at IC.AC.UK
> Principal: krbtgt/DOC.IC.AC.UK at IC.AC.UK
> ...
> Number of keys: 5
> Key: vno 1, des3-cbc-sha1, no salt
> Key: vno 1, des-cbc-crc, no salt
> Key: vno 1, des-cbc-crc, Version 4
> Key: vno 1, des-cbc-crc, AFS version 3
> Key: vno 1, arcfour-hmac, no salt
> MKey: vno 1
> Attributes:
> Policy: default
> Here are my questions:
> 1]
> do you know any utility - kind of get_principal - in Windows?
> 2]
> My College counterpart, i.e. the Windows person from College, tells me
> that it will be enough to enable (via GP) the AES enctype for the
> inter-realm trust key on the Windows side.
> However I am a bit concerned: our inter-realm trust is very old and was
> created when no AES support existed in Windows.
> They have upgraded through the different versions of Windows Server upto
> the 2012 one, but the inter-realm trust has remained the same since it
> was created.
> My naive understanding is that the AES inter-realm trust key will works
> only if
> - the actual AES key exists
> - the AES enctype is enabled
> Is it plausible there is no AES key on their Windows DCs?
> ( In principal I could use the command below (on the linux side):
> kadmin> change_password -e aes256-cts-hmac-sha1-96:normal -keepold
> krbtgt/DOC.IC.AC.UK at IC.AC.UK )
> All the best,
> Giuseppe
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

Todd Grayson
Customer Operations Engineering

More information about the Kerberos mailing list