Issues with keytab creation related to switch to w2k3 w/ ktutil
Douglas E. Engert
deengert at anl.gov
Wed Apr 7 13:49:53 EDT 2004
Jeffrey Altman wrote:
> Are you sure you are receiving the correct enctype?
> Doug has reported that he is receiving DES-CBC-MD5
> when he is expecting DES-CBC-CRC from Windows 2003.
W2003 does not let the client select the the enctype,
so even if you request des-cbc-crc, it will send des-cbc-md5.
See "KDC does not allow clients to specify an etype in Windows Server 2003"
We are trying to get this hotfix and the NO_PAC hotfix together.
They both update kdcsrv.dll on the server.
> Do you have network traces of the exchange?
> - Jeff
> Neulinger, Nathan wrote:
> >Sam, give me a little credit please. I'm well aware of the kvno issue.
> >If it were just a simple rtfm answer like that, I wouldn't have asked
> >the question here in the first place.
> >The princ is being re-created each time, and we know the kvno, and have
> >verified that with adsiedit. The keytab has the appropriate key with
> >that kvno in it.
> >If it were a simple kvno mismatch, this would be easy to resolve - I
> >should know, we already had to deal with that for authentications
> >against win2k3 boxes for our afs service principals and krb524 - which
> >was resolved without any significant issues.
> >-- Nathan
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev