>This is exactly what is happening. Active Directory contains a password >and a set of string to key algorithms. The Microsoft version of >Kerberos will always generate keys on the fly.
Active Directory stores keys, not passwords, for Kerberos (although the cleartext password can be stored if the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED bit is set on an account, this is not necessary for Kerberos). The Local Security Authority on a domain member does contain the machine trust account password, from which keys are generated using the appropriate string to key algorithm. I think it is this to which you were referring? -- Luke ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
