In article <[EMAIL PROTECTED]>, John Hascall <[EMAIL PROTECTED]> wrote:
> It's not old VPN software, it's some new thing from cisco. This is a semi-documented limitation in the Cisco VPN server software. I have been complaining about it to our Cisco SE to no avail. (Aside to Sam: Jeff just bought a couple of these. Can you ask him what, if anything, he did about this?) Apparently, des-cbc-md5 is the only enctype AD supports, and that's the only one they are ever going to implement. (This is obviously insane, since they already have all of the necessary crypto primitives to implement des3-cbc-sha1 which is what our KDC is doing by default.) If it helps any, John: I was able to get our VPN 3005 to authenticate simply by changing a test user's password with a keytype of des-cbc-md5; while this doesn't help the rest of our users, it definitely demonstrates that the bug is in Cisco's handling of the initial AS reply. (This makes sense, since the thing doesn't verify tickets; it has no host key.) -GAWollman -- Garrett A. Wollman | As the Constitution endures, persons in every [EMAIL PROTECTED] | generation can invoke its principles in their own Opinions not those of| search for greater freedom. MIT, LCS, CRS, or NSA| - A. Kennedy, Lawrence v. Texas, 539 U.S. ___ (2003) ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
