On 5/4/2016 1:44 AM, Benjamin Kaduk wrote: > 1.6.14 doesn't need to have single-DES enabled; we shouldn't be > recommending it. The rxkad.keytab method should work fine with AES keys. > > -Ben
+1 To be clear, the entire reason that the KDF extension to the rxkad security class was implemented is to permit sites to use non-DES keys for the long term AFS Key and the Kerberos session key while still using a 56-bit key with parity to support the required Fcrypt wire encryption. DES should not be enabled in Active Directory, nor in Heimdal, nor in MIT Kerberos nor in any other Kerberos KDC. Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
