* Ken Hornstein <[EMAIL PROTECTED]> [20060831 10:40]:
> >We're in the process of enabling additional enctypes in a K5 realm that
> >previously only had DES keys. Our kdc.conf file now reads (in part):
> >
> >master_key_type = des-cbc-crc
> >supported_enctypes = des-cbc-crc:normal des3-cbc-sha1:normal
> >aes256-cts:normal
>
> There's a implied preference order to the keys listed in
> supported_enctypes. If you want AES to be used for tickets (when
> possible, of course), you should list that first.
>
> (For session keys, the list send by the client is used as the preference
> order).
An interesting interoperability wrinkle arises if you have any Windows
2K/XP machines with native kerberos libraries (not KfW) pointed at
your MIT KDC for authentication. In my experiments a few months ago,
such machines *fail* to get tickets if the first enctype listed in the
KDC's 'supported_enctypes' is not 'des-cbc-crc:normal'.
In other words, when I tried reversing the order of 'supported_enctypes'
like this:
supported_enctypes = aes256-cts:normal des3-cbc-sha1:normal \
des-cbc-crc:normal
I found that native windows clients could no longer authenticate to the
KDC. Perhaps Vista will support enctypes other than single DES...
Has anyone else seen this?
Ben
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
