On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote: > rousset wrote: > > Hello, > > > > I have established a trust relationship between Active Directory and MIT > > Kerberos realm, mapped principals, and can successfully logon to a Win2k > > workstation using a Kerberos principal. This is right with attribute > > "PRE-AUTH required" enabled and encryption des-cbc-crc, or md5. > > But I'd like to set rc4-hmac as default encryption on MIT principals. > > It fails with "Additionnal Pre-authentication required" log on MIT's > > side if pre-auth is enabled > > (Work if pre-auth disabled) > > I have verified with Microsoft that the default configuration of Windows > 2003 does not allow the use of RC4-HMAC with MIT KDC Trust > relationships. There is functionality to support this mode of operation > unfortunately there are no tools available to allow you to enable it. > I thougt that the inclusion of support for rc4-hmac encryption types in kdcs servers (MIT & Heimdal) was aimed to avoid the use of not-very-secure des-cbc-md5 and des-cbc-crc enc-types when you want interoperate between Windows and non windows kerberos realms. > I have obtained the necessary information to construct a tool to enable > RC4-HMAC support for MIT KDC Trust relationships and will endeavor to > build one in the next day or two for inclusion within the final release > of KfW 2.6. At the very least this tool will allow you to specify a > MIT Realm Name and allow the RC4-HMAC flag to be toggled on or off. > Will this tool work with heimdal too? > Jeffrey Altman > KfW Maintainer > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
