Douglas E. Engert wrote: > > "D. Schikora" wrote: > >>Hallo >> >>Is there anywhere one guide for Kerberos and Windows 2003 Server. I can only >>find the old one for W2K and I hope there are some changes between W2K and >>W2K3. > > > > Not that I know of. Note that when you use ktpass command and use the DesOnly > flag, this is saved in the AD. 2000 will the use an enctype of des-cbc-crc, > where as 2003 will use des-cbc-md5 when generating tickets for a server. > What this means is that you may need to have two keys in a server's keytab if you > are > converting from 2000 to 2003. one for each enctype. They both have the same key, and > kvno but different enctypes. > > (Microsoft should have had two flags.)
The change in Windows 2003 was not to use DES-CBC-MD5 instead of DES-CBC-CBC. The change was to use the stronger encryption type requested by the client instead of the first encryption type requested by the client. If the client removes DES-CBC-MD5 from the permitted_enctypes list, Windows 2003 will issue a DES-CBC-CRC ticket. Jeffrey Altman -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
