choosing Kerberos encryption algorithms/Kerberos logging on XP
From: James Ervin (james_at_unc.edu)
Date: 02/24/04
- Previous message: Steen Schjellerup: "Record Layout of Windows Security Event log records ?."
- Next in thread: Laura A. Robinson [MVP]: "Re: choosing Kerberos encryption algorithms/Kerberos logging on XP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Feb 2004 08:26:05 -0800
I thought I posted a message similar to this yesterday, but can't seem to locate it, so I apologize if this is a duplicate posting.
We have deployed an AD domain with a one-way outgoing Kerberos trust to an MIT Kerberos 5 realm. I realize many other insitutions have done this, so we're a bit behind the curve; nonetheless, documentation on some of these issues is still hard to find. The administrators of our MIT realm are a bit uneasy with the DES-CBC-MD5 encryption used to request tickets, and would prefer to use something stronger (RC4-HMAC, preferably). After researching this for a bit, it seems that the documentation on Microsoft's Kerberos implementation is sparse at best, and hasn't changed significantly since Windows 2000, so my questions are several. We are using primarily XP clients in a domain with mixed Windows 2000 and 2003 domain controllers.
- From what I can determine, only the DES-CBC-MD5 and DES-CBC-CRC algorithms are used when talking to an external MIT K5 realm. Is this true, or can I force the client to prefer a particular algorithm (RC4-HMAC)? Will this change?
- What does the "Use DES Encryption Types for this account" flag on the individual user actually do? The documentation is sparse--does this refer to the session key, service ticket, or what?
- I've seen rumors that the choice of Kerberos encryption algorithm will be controllable via the Registry in Windows 2003 Server, SP1, but can't find any documentation. Is this true?
- is there any documentation on the Kerberos implementation included in Windows 2003 Server, or is it entirely identical to the Windows 2000 one?
- Is there a way to enable Kerberos logging on an XP client? The method described in Q262177 for Windows 2000 doesn't seem to transfer over.
- We see Windows XP clients using the MIT realm for primary authentication making Kerberos requests for things they shouldn't; for instance, when running the AFS client (which uses Kerberos v4), the MIT Kerberos servers receive requests for a principal of the form cifs\<machine name>-AFS@DOMAIN.EDU every 15 minutes. Replicated over several thousand clients, this seems like a lot of unnecessary work. Is there a method for controlling the interval or frequency of Kerberos requests made by the SMB client, or otherwise preventing requests for tickets that will never be returned properly?
Thanks for any help you can provide on any of the above-
James Ervin
Chapel Hill, NC
- Previous message: Steen Schjellerup: "Record Layout of Windows Security Event log records ?."
- Next in thread: Laura A. Robinson [MVP]: "Re: choosing Kerberos encryption algorithms/Kerberos logging on XP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
