Issues with keytab creation related to switch to w2k3 w/ ktutil

Jeffrey Altman jaltman at
Wed Apr 7 13:56:02 EDT 2004

Douglas E. Engert wrote:

>Jeffrey Altman wrote:
>>Are you sure you are receiving the correct enctype?
>>Doug has reported that he is receiving DES-CBC-MD5
>>when he is expecting DES-CBC-CRC from Windows 2003.
>W2003 does not let the client select the the enctype,
>so even if you request des-cbc-crc, it will send des-cbc-md5.
>See "KDC does not allow clients to specify an etype in Windows Server 2003"
>We are trying to get this hotfix and the NO_PAC hotfix together. 
>They both update kdcsrv.dll on the server. 
Has anyone read this KB article?


    The Microsoft Windows Server 2003 Key Distribution Center (KDC) uses
    the strongest encryption type (etype) available to encrypt service
    tickets. If a client requests etype DES-CBC-CRC, the KDC encrypts
    tickets with DES-CBC-MD5. If the client does not understand this
    etype, the service ticket is unusable.

    More Information:

    Windows Server 2003 was designed to be compliant with RFC 1510bis.
    The new logic that is introduced in this hotfix does not comply with
    RFC 1510bis. By default, the new logic is disabled.

In what way is the client's listing a set of known enctypes not 
compliant with RFC 1510bis?

Jeffrey Altman

More information about the krbdev mailing list