Re: Ticket enctype question

* Ken Hornstein <kenh@xxxxxxxxxxxxxxxx> [20060831 10:40]:
We're in the process of enabling additional enctypes in a K5 realm that
previously only had DES keys. Our kdc.conf file now reads (in part):

master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des3-cbc-sha1:normal aes256-cts:normal

There's a implied preference order to the keys listed in
supported_enctypes. If you want AES to be used for tickets (when
possible, of course), you should list that first.

(For session keys, the list send by the client is used as the preference
order).

An interesting interoperability wrinkle arises if you have any Windows
2K/XP machines with native kerberos libraries (not KfW) pointed at
your MIT KDC for authentication. In my experiments a few months ago,
such machines *fail* to get tickets if the first enctype listed in the
KDC's 'supported_enctypes' is not 'des-cbc-crc:normal'.

In other words, when I tried reversing the order of 'supported_enctypes'
like this:

supported_enctypes = aes256-cts:normal des3-cbc-sha1:normal \
des-cbc-crc:normal

I found that native windows clients could no longer authenticate to the
KDC. Perhaps Vista will support enctypes other than single DES...

Has anyone else seen this?

Ben
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.