Vista x86 client cross-realm interop with MIT KDCs
Henry B. Hotz
hotz at jpl.nasa.gov
Wed Oct 18 17:50:48 EDT 2006
On Oct 14, 2006, at 9:08 AM, krbdev-request at mit.edu wrote:
> Date: Fri, 13 Oct 2006 15:59:11 -0700
> From: "Karl R. Grose" <karlgrose at berkeley.edu>
> Subject: Vista x86 client cross-realm interop with MIT KDCs
> To: krbdev at mit.edu
> Cc: "John E. Weber" <johnweber at berkeley.edu>, Mike Friedman
> <mikef at ack.berkeley.edu>
> Message-ID: <45301A3F.2060008 at berkeley.edu>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hello MIT developers,
>
> Microsoft has identified what they believe to be an interop issue
> between the Vista x86 client and recent MIT KDCs when operating as
> part
> of an AD-MIT cross-realm scenario. Our CAMPUS.BERKELEY.EDU AD realm
> trusts our BERKELEY.EDU MIT realm and has worked fine for years with
> WinXP hosts joined to the CAMPUS domain where users are defined as
> @BERKELEY.EDU principals and mapped to shadow AD user accounts via
> altSecurityIdentities. See Microsoft's analysis of the issue near the
> end of the appended excerpt of the report I opened with the Vista
> Beta team.
>
> --Karl
>
> Karl Grose
> UC Berkeley
[...detail omitted...]
Out of curiosity, does it work if you delete the des-cbc-crc keys, so
it *has* to use the des-cbc-md5 keys?
I know there have been discussions about why you can't do that in
general, but I'm afraid I didn't track them.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list