Vista x86 client cross-realm interop with MIT KDCs

Henry B. Hotz hotz at
Wed Oct 18 17:50:48 EDT 2006

On Oct 14, 2006, at 9:08 AM, krbdev-request at wrote:

> Date: Fri, 13 Oct 2006 15:59:11 -0700
> From: "Karl R. Grose" <karlgrose at>
> Subject: Vista x86 client cross-realm interop with MIT KDCs
> To: krbdev at
> Cc: "John E. Weber" <johnweber at>,	Mike Friedman
> 	<mikef at>
> Message-ID: <45301A3F.2060008 at>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Hello MIT developers,
> Microsoft has identified what they believe to be an interop issue
> between the Vista x86 client and recent MIT KDCs when operating as  
> part
> of an AD-MIT cross-realm scenario. Our CAMPUS.BERKELEY.EDU AD realm
> trusts our BERKELEY.EDU MIT realm and has worked fine for years with
> WinXP hosts joined to the CAMPUS domain where users are defined as
> @BERKELEY.EDU principals and mapped to shadow AD user accounts via
> altSecurityIdentities. See Microsoft's analysis of the issue near the
> end of the appended excerpt of the report I opened with the Vista  
> Beta team.
> --Karl
> Karl Grose
> UC Berkeley

[...detail omitted...]

Out of curiosity, does it work if you delete the des-cbc-crc keys, so  
it *has* to use the des-cbc-md5 keys?

I know there have been discussions about why you can't do that in  
general, but I'm afraid I didn't track them.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list