Interoperability with Microsoft KDC using AES

Henry B. Hotz hotz at
Wed May 30 12:50:25 EDT 2007

On May 30, 2007, at 9:09 AM, krbdev-request at wrote:

> Date: Tue, 29 May 2007 22:51:49 -0700
> From: Todd Stecher <tstecher at>
> Subject: Re: Interoperability with Microsoft KDC using AES
> To: Todd Stecher <tstecher at>, Ankur Upadhyaya
> 	<ankur at>
> Cc: krbdev at
> Message-ID: <87EEB9B6-5FA5-40C5-B19F-49D9F56E51D6 at>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
> Small correction below... Time to get up with the times...
> On May 29, 2007, at 2:35 PM, Todd Stecher wrote:
>> On May 29, 2007, at 2:21 PM, Ankur Upadhyaya wrote:
>>> Based on what I have read so far, I understand that only DES
>>> encryption
>>> can be used if client and server principals using MIT Kerberos 5
>>> are to
>>> interoperate with a Microsoft Windows Server 2000 or 2003 Active
>>> Directory
>>> KDC.
>> Correct.
> MIT 1.4.1 supports RC4 HMAC.  major DOH!
> Don't use DES unless you really really really have to.

Yes, but you reputedly need the latest version of the support tools  
on W2K3 in order to get the options to enable its use with non-MS  
machines.  They aren't automatically updated, unlike the server  
software itself.

IIRC Longhorn/Vista/whatever server isn't out yet.

>>> As of Windows Server 2008, however, Microsoft will support 256-bit
>>> AES
>>> encryption for its Kerberos implementation.  Does anybody have any
>>> information on whether or not MIT Kerberos 5 principals will be
>>> able to
>>> interoperate with this Microsoft KDC using 256-bit AES encryption  
>>> (or
>>> anything stronger than DES)?
>> If this didn't happen, someone at MS is asleep at the wheel (right
>> larry / JK?).  In truth, when I left, AES interop was one of the
>> top priorities of the Windows team, and they've been contributing
>> heavily to the AES standard.
>> (In fact, support for an AES Kerberos client may already be in  
>> Vista.)
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list