Create a new GPO on the "Domain Controllers" OU Computer Policy/Policies/Windows Settings/Security Settings/Local Polices/Security Options
If the MIT side has all of those enctypes enabled and the trust accounts have keys for all of those enctypes, then you won't need this. By default, a new realm trust from Windows 2008 and later domain will use only RC4-HMAC encryption. Selecting "The other realm supports AES" in the GUI turns off RC4 and enables AES256 and AES128. You can use the ksetup command on a DC to set what enctypes are used for the trust to something more specific than these two options. ksetup /SetEncTypeAttr <realm> <enctypes> -Ross From: c f [mailto:[email protected]] Sent: Wednesday, August 25, 2010 2:46 AM To: Wilper, Ross A Cc: [email protected] Subject: Re: problem with the cross-realm, any help? Hi Ross, On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A <[email protected]<mailto:[email protected]>> wrote: You mention allowing the DES enctypes on the Windows 7 box? Is that the only common enctype available between the MIT realm and Windows? (AES256, AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC) I have all these enctypes enabled in fact. If so, you will need to have DES enabled on the domain controller also. This is most easily done (for all machines) using a group policy "Network Security: Configure Encryption types allowed for Kerberos" I have not found this group policy in a Windows Server 2008. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
