Alberto Patino wrote:
On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote:
I have verified with Microsoft that the default configuration of Windows
2003 does not allow the use of RC4-HMAC with MIT KDC Trust
relationships. There is functionality to support this mode of operation
unfortunately there are no tools available to allow you to enable it.
I thougt that the inclusion of support for rc4-hmac encryption types in
kdcs servers (MIT & Heimdal) was aimed to avoid the use of
not-very-secure des-cbc-md5 and des-cbc-crc enc-types when you want
interoperate between Windows and non windows kerberos realms.
The use of RC4-HMAC at present can only be used to obtain TGT and
Service Tickets. It cannot be used for Cross Realm Trusts.
I have obtained the necessary information to construct a tool to enable
RC4-HMAC support for MIT KDC Trust relationships and will endeavor to
build one in the next day or two for inclusion within the final release
of KfW 2.6. At the very least this tool will allow you to specify a
MIT Realm Name and allow the RC4-HMAC flag to be toggled on or off.
Will this tool work with heimdal too?
As the tool affects the Windows 2003 Server LSA configuration, it should
allow RC4-HMAC cross realm trusts to be configured with any non-MS KDC.
(Assuming I can get it to work.)
Jeffrey Altman
KfW Maintainer
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
