Jeffrey Altman wrote: > There is no need to nor should you set the tkt and tgs enctypes. > MIT Kerberos 1.3 and higher support all of the enctypes used by > the Windows Kerberos SSPI. > > If your service is running on Unix, then you must make sure that > you create a keytab containing entries for each of the keys that > Windows can produce for the SPN. (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC). > The DES enctypes will only be used if the account associated with > the SPN is marked DES only.
How can I check this and, second question, how can I generate a keytab with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC crypto type: [- /] crypto : Cryptosystem to use [- /] crypto : is one of: [- /] crypto : DES-CBC-CRC : for compatibility [- /] crypto : DES-CBC-MD5 : default Trying '-crypto RC4-HMAC' indicates that the SPN is marked for DES only ! How can I modify this ? Thanks for your help, > > Jacques Lebastard wrote: > >> >> Hi there, >> >> our client/server application uses either SSPI (Windows) or GSS-API >> (UNIX) in order to establish a secure context. >> >> In order to make it work properly, I had to set specific encryption >> types in the krb5.conf file of the UNIX server: >> >> [libdefaults] >> default_tkt_enctypes = des-cbc-md5 >> default_tgs_enctypes = des-cbc-md5 >> >> Does that mean that the established session keys are DES 64 bits >> *ONLY* ? It sounds like a weak encryption... >> >> Are any other encryption types compatible between MIT and Windows >> 2000/2003 (native) Kerberos implementations ? >> > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos