Hi Andrew, I've been investigating this and I'm still discussing with the product group what would be the best way to better detail this process.
As explained in the document, the KDC will rely on the AD property msDS-SupportedEncryptionTypes. Now, if the property is not populated by the server or service, then the KDC will default to RC4 which is the legacy type. With respect to the NETLOGON_DOMAIN_INFO, Matthieu is working with Obaid on that section and I believe Obaid is sending him his response shortly. Please let me know if you need further assistance. Thanks and regards, Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSSĀ DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2" Tel: +1 469 775 7849 e-mail: [email protected] -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Monday, August 03, 2009 7:29 AM To: Interoperability Documentation Help Cc: [email protected]; [email protected] Subject: How to determine if an account should use AES? G'day, In Windows 2008 mode, we now generate AES keys for user and computer accounts. The KDC will then issue tickets using those keys. However, it seems to me that we should not do so for Windows XP and similar targets - ie, those that would not be able to decrypt AES keys. In traditional kerberos, you would manually set the encryption types for which you generated keys to the 'safe set' of commonly accepted types. How, as a domain controller, should I know what encryption types are safe for a particular member server to accept (and for the DC to generate and store)? Also, where should we return this information: For example, should we return what encryption types the workstation supports in 2.2.1.3.11 NETLOGON_DOMAIN_INFO: SupportedEncTypes, or is this the encryption types supported by the domain? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
