On Mon, 2012-01-30 at 20:26 +0000, Edgar Olougouna wrote: > Andrew, > > This happens in a typical scenario similar to the following. > > The DC is running Windows Server 2008 at domain functional level Windows > Server 2003. > The Kerberos client and server present following etypes to the DC: > EType: aes256-cts-hmac-sha1-96 (18) > EType: aes128-cts-hmac-sha1-96 (17) > EType: rc4-hmac (23) > > The client is issued a ticket with an encryption type aes256-cts-hmac-sha1-96 > (18). > The PAC in the in the service ticket has a SignatureType of > KERB_CHECKSUM_HMAC_MD5 (based of the logic described in my previous email, > condition 1) is met but condition 2) is not met).
I'm clearly missing something here: How does the KDC issue a service ticket with type AES and not meet the requirements for an AES checksum on the PAC? Also, which key is the signature calculated with in this case? Also, can you explain how this describes the behaviour when the server only supports DES? We find that the SignatureType is of type KERB_CHECKSUM_HMAC_MD5 but they DES key (with which the ticket was encrypted) is in fact used for the HMAC calculation. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
