Craig Huckabee wrote: > > I did some testing last night on a demo realm I have on a private > network - whatever enctype is listed first for the krbtgt principal is > the one selected for the tkt no matter what the client asks for. The > skey gets selected as expected when default_tgs_enctypes is used.
The client should never be able to influence the choice of the enctype of the service ticket. That is a decision made by the KDC based upon its most preferred enctype for which there is an entry for the service principal. It is the responsibility of the Kerberos administrator to only assign enctypes to service principals that the service can understand. The choice of the enctype used to protect the response to the client is made by the KDC. It uses its most preferred enctype that is supported by the client. The choice of session key enctype can be requested by the client application. Jeffrey Altman -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
