On 3/4/2010 7:44 PM, Stephen Joyce wrote: > - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with > value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. Without this, the > DC won't talk DES to clients, even if you do extract a DES-only keytab > (you'll see "KDC has no support for encryption type" messages).
This sounds like a bug. > - Checked "Use Kerberos DES encryption types for this account" on the > Account tab of the afscell user account in AD. I'd also recommend > password never expires. > > - Extract the keytab similarly to this. Adjust to taste: > ktpass -princ afs/celln...@addomainname -mapuser afsc...@addomainname > -mapOp add -out afs-keytab +rndPass -crypto DES-CBC-CRC +DesOnly -ptype > KRB5_NT_PRINCIPAL +DumpSalt -kvno 3 You should not use the -kvno option. That option was for Windows 2000. It is not useful and is dangerous on more recent Windows versions. When using the 2008 R2 version of ktpass, I also recommend using the -crypto ALL option as that creates a keytab with all of the supported enctypes for the account. For a DesOnly account, this should be just the DES enctypes. You also want to use the +SetUpn option to set the UPN in addition to the principal name for the account. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
