Issues with keytab creation related to switch to w2k3 w/ ktutil

Douglas E. Engert deengert at
Wed Apr 7 13:49:53 EDT 2004

Jeffrey Altman wrote:
> Nathan:
> Are you sure you are receiving the correct enctype?
> Doug has reported that he is receiving DES-CBC-MD5
> when he is expecting DES-CBC-CRC from Windows 2003.

W2003 does not let the client select the the enctype,
so even if you request des-cbc-crc, it will send des-cbc-md5.

See "KDC does not allow clients to specify an etype in Windows Server 2003";en-us;833708

We are trying to get this hotfix and the NO_PAC hotfix together. 
They both update kdcsrv.dll on the server. 

> Do you have network traces of the exchange?
> - Jeff
> Neulinger, Nathan wrote:
> >Sam, give me a little credit please. I'm well aware of the kvno issue.
> >If it were just a simple rtfm answer like that, I wouldn't have asked
> >the question here in the first place.
> >
> >The princ is being re-created each time, and we know the kvno, and have
> >verified that with adsiedit. The keytab has the appropriate key with
> >that kvno in it.
> >
> >If it were a simple kvno mismatch, this would be easy to resolve - I
> >should know, we already had to deal with that for authentications
> >against win2k3 boxes for our afs service principals and krb524 - which
> >was resolved without any significant issues.
> >
> >-- Nathan
> >
> >
> >
> _______________________________________________
> krbdev mailing list             krbdev at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list