The man page for krb5.conf states that default_tgs_enctypes is a list session key encryption types that should be returned by the KDC. Also, default_tkt_enctypes is a list of session key encryption types the should be requested by the client.
So, if I omit an encryption type, then I am not requesting that encryption type. Right? When I delete completely des3-hmac-sha1 from my krb5.conf and get a new TGT, I still get a des3-hmac-sha1 encryption type on my TGT. How is this possible? D:\>klist -e Ticket cache: API:krb5cc Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 05/29/03 18:49:34 05/30/03 04:49:34 krbtgt/[EMAIL PROTECTED] Etype (skey, tkt): DES cbc mode with CRC-32, Triple DES cbc mode with HMAC/sha1 TIA, Jason C. Wells (BTW, I did not realize this group was gatewayed to a mailing list. I can understand why a person who uses the mailing list would be put off by a faze email address. My apologies to any who got a bounced message from me. I thought this was just a newsgroup. The address I am using now is real.) ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos