Interoperability with Microsoft KDC using AES
tstecher at qwest.net
Wed May 30 01:51:49 EDT 2007
Small correction below... Time to get up with the times...
On May 29, 2007, at 2:35 PM, Todd Stecher wrote:
> On May 29, 2007, at 2:21 PM, Ankur Upadhyaya wrote:
>> Based on what I have read so far, I understand that only DES
>> can be used if client and server principals using MIT Kerberos 5
>> are to
>> interoperate with a Microsoft Windows Server 2000 or 2003 Active
MIT 1.4.1 supports RC4 HMAC. major DOH!
Don't use DES unless you really really really have to.
>> As of Windows Server 2008, however, Microsoft will support 256-bit
>> encryption for its Kerberos implementation. Does anybody have any
>> information on whether or not MIT Kerberos 5 principals will be
>> able to
>> interoperate with this Microsoft KDC using 256-bit AES encryption (or
>> anything stronger than DES)?
> If this didn't happen, someone at MS is asleep at the wheel (right
> larry / JK?). In truth, when I left, AES interop was one of the
> top priorities of the Windows team, and they've been contributing
> heavily to the AES standard.
> (In fact, support for an AES Kerberos client may already be in Vista.)
>> krbdev mailing list krbdev at mit.edu
More information about the krbdev