You generally want to support all key types on your KDC. You can
restrict the key type from within kadmin:
kadmin: cpw -e "rc4-hmac:normal" krbtgt/AD.EXAMPLE.COM
Service principals should contain ONLY the key types supported by that
service (i.e. rc4-hmac, des-cbc-md5, des-cbc-crc in the case
Thank you for that info.
I was able to solve the immediate problem by adding permitted_enctypes
= rc4-hmac des-cbc-md5 des-cbc-crc to the [libdefaults] section of
kerb5.conf. This caused DES to be used for all enc-parts and did allow
the Windows KDC to issue a service ticket. This causes another p
When creating or modifying the cross realm principals with
MIT kadmin, you must specify the list of enc:salt combinations
you wish created for that principal.
If you do not specify a list, the default list from kdc.conf
will be used.
You use the "-e enc:salt ..." option as documented here:
http:
Thank you to everyone for all the old posts, which have helped me, and
thank you in advance for any ideas on this:
I am trying to create an MIT / Windows interop scenario in a lab, where
the MIT realm is used for accounts, while users log on interactivly to
Windows machines and further authenticat
The enc-part of the ticket only matters to the service that it will be
presented to (in this case, the MIT kdc). The MIT kdc is acting correctly.
the enc-part of the AS-REP itself is des-cbc-md5
Later, when the XP machine approaches
the Windows KDC about a service ticket, the Windows KDC reje