Unable to have KDC use different enctype for session/service key

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Sep 17 13:23:00 EDT 2002

>I suspect you will run into cases in 1.0.6 where clients or servers
>will fail even if you have a single des session key with a tripple des

Hm, I haven't run into any such cases yet.  And we've been doing this
in production coming up on a week now, and so far we have had no
problems (at least, none I've gotten any reports of, or seen in any the
logs).  That's with old clients getting and using 3DES TGTs and
single-DES session keys.  So I think that it does work okay (which
surprises me, but there you go).  If you know of a situation where it
doesn't work, then please let me know, because that of course would
change my migration plans considerably.

>Given your stated constraints, if you cannot get multiple tgts in the
>cache to work, I think you may in fact have to cripple your KDC.

Well, given the choice between crippling most of my clients, or crippling
the KDC for a while, I'll have to go with the KDC for now (at least it's
easy enough to undo when I have everything moved over).


More information about the krbdev mailing list