Re: choosing Kerberos encryption algorithms/Kerberos logging on XP

From: James Ervin (james_at_unc.edu)
Date: 02/25/04

  • Next message: Paul Matear: "Re: Record Layout of Windows Security Event log records ?." 
    Date: Wed, 25 Feb 2004 13:36:07 -0800

    Laura-

    Thanks for your reply.

    In answer to your qustion: we are not using SFU in our production domain in any capacity, but we certainly can, at least in a test configuration--especially now that it's free. I'm unclear as to how that could help except for troubleshooting purposes, though--we are not providing services to Unix clients from our Windows 2000/2003 KDCs; rather the reverse: we would like our MIT realm to provide authentication and our Win2K/2K3 domain to provide authorization. I apologize if my original post wasn't clear. I'll install SFU for testing and reexamine it, though--I'm sure there's something I overlooked.

    One note: just today, we configured an outgoing trust to a test MIT realm. When creating the principal on the MIT realm for our domain controller, the administrator specifically used an RC4-HMAC key, and did NOT use any DES keys. This appears to break the Kerberos interoperability. It's the stated direction of the group that maintains our MIT realm to eventually move away from using DES keys as they slowly eliminate all Kerberos v4 applications, so this could be a problem.

    James Ervin
    Chapel Hill, NC

  • Next message: Paul Matear: "Re: Record Layout of Windows Security Event log records ?."