Brian Davidson wrote: > On Jun 4, 2005, at 11:27 AM, Jeffrey Altman wrote: > >> The MIT Kerberos team worked with the Microsoft Windows Security team >> to make sure that RC4-HMAC could be used for cross-realm authentication >> by Windows Server specificly because of the concerns you raise. DES >> keys are very weak and if they must be used because that is all that is >> supported, then they keys must be replaced on a very regular basis >> until such time as they no longer need to be used. >> >> With 2003 Server SP1 there should no longer be a reason to use DES keys >> for anything but compatibility with Java 1.5 and earlier. > > > Has anyone had success with this? I just tried to use RC4-HMAC for a > cross-realm trust with Server 2003 SP1, and it didn't work. I could > only get the trust to work with a DES key. > > Do you know if Microsoft has any of this documented anywhere? I > didn't see any mention of this in the "Windows Server 2003 Service > Pack 1 list of updates" > > I'm hoping there's just a registry setting that needs to be made to > enable this... > > Thanks, > > Brian Davidson > George Mason University > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > Hi Brian,
After setting the trust, install Windows 2003 SP1 Support tools, then run ktpass -MitRealmName <REALM> -TrustEncryp RC4 I do not know where or if this is documented (besides the /? of ktpass). By the way, RC4 is not the default despite what "ktpass /? " might say. Hope that helps. -- Colin Hudler University of Chicago ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
