[28749] in Kerberos
Re: Adding supported enctypes to kdc
daemon@ATHENA.MIT.EDU (John Washington)
Fri Nov 16 16:15:59 2007
Date: Fri, 16 Nov 2007 15:15:21 -0600
From: John Washington <jawashin@uiuc.edu>
To: kerberos@mit.edu
Message-ID: <20071116211521.GH20013@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <fc7b2379-768b-49a2-b9f9-2aae125433a9@b32g2000hsa.googlegroups.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I would definitely add aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96,
as Microsoft is adding these to AD (and I prefer good encryption, not
really broken encryption)
as per:
http://blogs.technet.com/ad/archive/2007/11/02/server-2008-and-windows-vista-encryption-better-together.aspx
* Steve Devine <devine.steve@gmail.com> [2007-11-16 15:05]:
> Our current supported enctypes are:
> des3-hmac-sha1:normal, des-cbc-crc:normal, des-cbc-crc:v4, des-cbc-
> crc:afs3
>
> I want to add rc4-hmac
> So my question is will this disrupt anything? I have read that the
> order matters where I put it in the file.
> Do I need to rekey any principals with keepold? I don't intend to
> remove any enctypes just add them.
>
> Should I add anything else while I am at it? We are striving towards
> Microsoft Compatibility.
>
> Thanks
> Steve Devine
> MSU
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
