Issues with keytab creation related to switch to w2k3 w/ ktutil
Jeffrey Altman
jaltman at columbia.edu
Wed Apr 7 13:56:02 EDT 2004
Douglas E. Engert wrote:
>
>Jeffrey Altman wrote:
>
>>Nathan:
>>
>>Are you sure you are receiving the correct enctype?
>>Doug has reported that he is receiving DES-CBC-MD5
>>when he is expecting DES-CBC-CRC from Windows 2003.
>>
>
>W2003 does not let the client select the the enctype,
>so even if you request des-cbc-crc, it will send des-cbc-md5.
>
>See "KDC does not allow clients to specify an etype in Windows Server 2003"
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;833708
>
>We are trying to get this hotfix and the NO_PAC hotfix together.
>They both update kdcsrv.dll on the server.
>
>
Has anyone read this KB article?
Symptoms:
The Microsoft Windows Server 2003 Key Distribution Center (KDC) uses
the strongest encryption type (etype) available to encrypt service
tickets. If a client requests etype DES-CBC-CRC, the KDC encrypts
tickets with DES-CBC-MD5. If the client does not understand this
etype, the service ticket is unusable.
More Information:
Windows Server 2003 was designed to be compliant with RFC 1510bis.
The new logic that is introduced in this hotfix does not comply with
RFC 1510bis. By default, the new logic is disabled.
In what way is the client's listing a set of known enctypes not
compliant with RFC 1510bis?
Jeffrey Altman
More information about the krbdev
mailing list