Andrew, I received the following response from the product group, which I am forwarding for your feedback. Please let me know if this resolves your question.
[MS-KILE] Section 3.3.1.1 "Account Database Extensions" specifies the account database extension which impacts KDC behavior: KerbSupportedEncryptionTypes: A 32-bit unsigned integer that contains a combination of flags that specify what encryption types (section 2.2.5) are supportedby the application server.<24> KILE implementations that use an Active Directory for the accountdatabase SHOULD use the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.324). [MS-KILE] Section 3.3.5.3 "AS Exchange" specifies the behavior during AS_REQ processing: If the krbtgt account has a KerbSupportedEncryptionTypes populated with supported encryption types, then the KDC SHOULD<28> return in the encrypted part ([Referrals-11], Appendix A) of AS-REP message PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES(165), to indicate what encryption types are supported by the domain KDCs. If not, the KDC SHOULD check if the krbtgt account has the UseDESOnly flag and if set to: § TRUE: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x3 (Section 2.2.5). § FALSE: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x7 (Section 2.2.5). [MS-KILE] Section 3.3.5.4 "TGS Exchange" specifies the behavior during the TGS_REQ processing: If the server or service has a KerbSupportedEncryptionTypes populated with supported encryption types, then the KDC SHOULD<31> return in the encrypted part ([Referrals-11] Appendix A) of TGS-REP message PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES (165), to indicate what encryption types are supported by the server or service. If not, the KDC SHOULD<32> check the server or service account's UseDESOnly and if set to: § TRUE: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the TGS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x3 (Section 2.2.5). § FALSE: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the TGS-REP message, include PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x7 (Section 2.2.5). Bryan From: Bryan Burgin Sent: Wednesday, July 07, 2010 1:46 PM To: Andrew Bartlett ([email protected]); '[email protected]'; '[email protected]'; '[email protected]' Cc: MSSolve Case Email; Edgar Olougouna Subject: [REG:110062157456375] -[MS-ADTS] 7.1.6.7.3 msDs-supportedEncryptionTypes usage Andrew, Edgar is going to be out of the office for a bit. I will be handling this issue for you in his absence. He has an inquiry filed with the product group. I just pinged them to let them know that I'm their new contact. As soon as I have more information, I'll let you know. Bryan
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
