On 7/26/2013 4:30 PM, Andrew Deason wrote: > On Fri, 26 Jul 2013 14:07:46 +0200 > Lars Schimmer <l.schim...@cgv.tugraz.at> wrote: > >> Ok, now with access to such a machine: >> krbtgt/cgv.tugraz...@cgv.tugraz.at >> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS >> mode with 96-bit SHA-1 HMAC >> afs/cgv.tugraz.at/CGV.TUGRAZ.AT >> Etype /skey, tkt): DES cbc mode with CRC-32, AES-256 CTS mode with >> 96-bit SHA-1 HMAC > > By any chance, do you happen to have the registry entry > > HKLM\SYSTEM\CurrentControlSet\services\kdc\KdcUseRequestedEtypesForTickets > > set to 1? That seems like it may cause that behavior, from a quck test I > just did. > > I'm having trouble seeing what on earth that option is for. From what I > can find on various sites, that makes the KDC use the client-specified > enctype list for the service ticket enctype, ignoring the principal > enctype settings (but still honoring the principal enctypes for the > session key?). I'm having trouble seeing any scenario where that is not > completely inappropriate (and a security issue!), let alone for AFS > usage. > > I've seen this mentioned in a few AFS/Active Directory howtos, and I > have no idea why. If anyone has some info to share...
That was added as a hotfix to Server 2003. In Server 2000 the KDC always issued tickets with the session key and service ticket key configured based upon the client specified enctype list. This was a bug that was fixed in Server 2003. At the time there were a number of Kerberos implementations which would crash if any of the enctypes in the ticket were not recognized even if the Kerberos implementation had no business attempting to decrypt the service ticket portion. To avoid crashing these implementations the above hotfix was added. If this is in fact the problem, a bug report needs to be filed with Microsoft to address the conflict between the DES_ONLY flag and the KdcUseRequestedEtypesForTickets option. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
