The actual issue is not on the intiial tgt, but on the tgt obtained when the initial tgt is forwarded. Perhaps the diagram below will help :
Workstation ---> Server running IIS + GSS initiator --> GSS acceptor service On the Workstation we have IE configured for Kerberos authentication. The user logs in and is issued with a tgt from AD that uses DES keytype. This is working as expected because we changed the "Use DES encryption for this account" in AD. On IIS we receive the forwarded tgt, but the keytype for the forwarded copy of the initial tgt seems to be RC4-HMAC and not DES. Our code on the IIS server is trying to acquire credentials to initiate a security context with another service. When we do this we get an error 'Key type not recognised'. If we run the same code that is running on IIS server using the original initial tgt on the workstation it works as expected, so clearly the keytype is changed when a forwarded tgt is issued by AD. "Calimer0" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Is there any way to force AD server to use only DES encryption type > for a user? (If this is not the right group for this question, I'd > appreciate a pointer to a more appropriate forum.) follow this path: Start --> Programs --> Administrative Tools --> Active Directory Users and Computers Select Properties of the user you want change, then select Account tab. In Account options check "Use DES encryption for this account". Consider that this option is used tipically for non-Windows Kerberos principals. Hope will work. Mark ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
