[32602] in Kerberos
RE: problem with the cross-realm, any help?
daemon@ATHENA.MIT.EDU (Wilper, Ross A)
Wed Aug 25 11:11:56 2010
From: "Wilper, Ross A" <rwilper@stanford.edu>
To: c f <claudiawhf@gmail.com>
Date: Wed, 25 Aug 2010 08:11:49 -0700
Message-ID: <C6BF43271ABC924B9A7057FAD2B4953F08976BAF71@ITS-ExchMB02.stanford.edu>
In-Reply-To: <AANLkTim1ReyKGXPsLu0et4XS0FZtPy8m11R5HkD97HVJ@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Create a new GPO on the "Domain Controllers" OU
Computer Policy/Policies/Windows Settings/Security Settings/Local Polices/Security Options
If the MIT side has all of those enctypes enabled and the trust accounts have keys for all of those enctypes, then you won't need this.
By default, a new realm trust from Windows 2008 and later domain will use only RC4-HMAC encryption. Selecting "The other realm supports AES" in the GUI turns off RC4 and enables AES256 and AES128. You can use the ksetup command on a DC to set what enctypes are used for the trust to something more specific than these two options.
ksetup /SetEncTypeAttr <realm> <enctypes>
-Ross
From: c f [mailto:claudiawhf@gmail.com]
Sent: Wednesday, August 25, 2010 2:46 AM
To: Wilper, Ross A
Cc: kerberos@mit.edu
Subject: Re: problem with the cross-realm, any help?
Hi Ross,
On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A <rwilper@stanford.edu<mailto:rwilper@stanford.edu>> wrote:
You mention allowing the DES enctypes on the Windows 7 box? Is that the only common enctype available between the MIT realm and Windows? (AES256, AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
I have all these enctypes enabled in fact.
If so, you will need to have DES enabled on the domain controller also. This is most easily done (for all machines) using a group policy
"Network Security: Configure Encryption types allowed for Kerberos"
I have not found this group policy in a Windows Server 2008.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
