Ken Hornstein wrote: >> In practice, 3DES has no problems here, but AES keys can confuse really >> old clients. > > A slight expansion on this. > > Clients from the MIT 1.0.x era would reject service tickets if they were > encrypted with an enctype they didn't know about (since clients don't > decrypt service tickets they shouldn't need to care about the enctype). > The exception to this was the TGT (it used a different codepath). So > you could have an AES TGT (for example) and it would work fine even though > AES keys for service principals would not (3DES had the same issue from > what I remember). > > I believe this was fixed in the 1.1 or 1.2 timeframe. > > --Ken
Java clients prior to one of the 1.5 releases has this same problem. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
