Thank you, I just verified it.
After enabling AES on accounts it does not work as key generated is
different.
Found the details:
For RC4-HMAC:
key = MD4(UNICODE(password))
https://tools.ietf.org/html/rfc4757#page-3
For AES:
tkey = random2key(PBKDF2(passphrase, salt, iter_count, keylength))
key =
Note that this is true only for RC4-HMAC keys, because the RC4-HMAC key
is unsalted. AES keys are salted so two machines will have different
AES keys even if the "password" is the same.
HTH,
Simo.
On Mon, 2021-03-22 at 01:24 +0530, Vipul Mehta wrote:
> Got it. Even if sname is encrypted, it won't
Got it. Even if sname is encrypted, it won't make any difference as it can
be modified and re-encrypted as the key is equal.
Signature also won't help for the same reason. So, it is clear that
responsibility lies on AD admin to use unique passwords for accounts.
On Sun, Mar 21, 2021 at 10:29 AM Be
On Fri, Mar 19, 2021 at 11:47:49PM +0530, Vipul Mehta wrote:
> Hi,
>
> Suppose there are two servers A and B running under different kerberos
> service principals.
> If both the service principals have same password and kvno then kerberos
> long term encryption key will be same for both. Seems to
Hi,
Suppose there are two servers A and B running under different kerberos
service principals.
If both the service principals have same password and kvno then kerberos
long term encryption key will be same for both. Seems to be the case for
windows KDC.
In such case, a client having service ticke