Re: UNIX GSS-API / Windows SSPI :

Fri, 17 Sep 2004 12:39:47 -0700



Jacques Lebastard wrote: 
Jeffrey Altman wrote:


There is no need to nor should you set the tkt and tgs enctypes.
MIT Kerberos 1.3 and higher support all of the enctypes used by
the Windows Kerberos SSPI.

If your service is running on Unix, then you must make sure that
you create a keytab containing entries for each of the keys that
Windows can produce for the SPN.  (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC).
The DES enctypes will only be used if the account associated with
the SPN is marked DES only.


How can I check this and, second question, how can I generate a keytab with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC crypto type:


If you knew the password (or key) added to AD, you could try using ktutil,
instead of ktpass.
Use addent ... -e arcfour-hmac-md5

Ktutil let me create a keytab, I don't know if is correct.


[- /]       crypto : Cryptosystem to use
[- /]       crypto :  is one of:
[- /]       crypto : DES-CBC-CRC : for compatibility
[- /]       crypto : DES-CBC-MD5 : default

Trying '-crypto RC4-HMAC' indicates that the SPN is marked for DES only ! How can I modify this ?

Thanks for your help,


Jacques Lebastard wrote:


Hi there,

our client/server application uses either SSPI (Windows) or GSS-API (UNIX) in order to establish a secure context.

In order to make it work properly, I had to set specific encryption types in the krb5.conf file of the UNIX server:

[libdefaults]
       default_tkt_enctypes = des-cbc-md5
       default_tgs_enctypes = des-cbc-md5

Does that mean that the established session keys are DES 64 bits *ONLY* ? It sounds like a weak encryption...

Are any other encryption types compatible between MIT and Windows 2000/2003 (native) Kerberos implementations ?


________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to