On Thu, 26 Sep 2013 17:21:47 +0000 Arne Wiebalck <[email protected]> wrote:
> Do you happen to know what controls which enc type AD will pick when > issuing an AFS service ticket? I don't know if this is an exhaustive list, but at least these things impact it: - The userAccountControl and msDS-SupportedEncryptionTypes attributes on the account (these are the DES/AES checkboxes in the account properties thing in the gui) - In the policy settings: "Security Options" -> "Network security: Configure encryption types allowed for Kerberos". - The option I mentioned earlier, in <http://lists.openafs.org/pipermail/openafs-info/2013-July/039763.html> There may be other things that affect the decision, but those are the only ones I know of. If you are asking how AD chooses which specific enctype to use after it has calculated the set of enctypes that are available, then no, I don't know (except for that last bullet point above). I assume it is a hard-coded preference for "stronger" enctypes, or maybe there's an option to set preferred enctypes that I don't know about. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
