Good morning Andrew - I have created case SRX090803600034 to track our work against your request. One of my team colleagues will take ownership of this case and contact you shortly.
Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Monday, August 03, 2009 8:29 AM To: Interoperability Documentation Help Cc: [email protected]; [email protected] Subject: How to determine if an account should use AES? G'day, In Windows 2008 mode, we now generate AES keys for user and computer accounts. The KDC will then issue tickets using those keys. However, it seems to me that we should not do so for Windows XP and similar targets - ie, those that would not be able to decrypt AES keys. In traditional kerberos, you would manually set the encryption types for which you generated keys to the 'safe set' of commonly accepted types. How, as a domain controller, should I know what encryption types are safe for a particular member server to accept (and for the DC to generate and store)? Also, where should we return this information: For example, should we return what encryption types the workstation supports in 2.2.1.3.11 NETLOGON_DOMAIN_INFO: SupportedEncTypes, or is this the encryption types supported by the domain? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
