[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

trouble with forwarded tgt from windows client

To: <heimdal-discuss@sics.se>
Subject: trouble with forwarded tgt from windows client
From: "Zi-Bin Yang" <zbyang@decru.com>
Date: Mon, 17 Nov 2003 20:58:12 -0800
Importance: Normal
Organization: Decru, Inc.
Sender: owner-heimdal-discuss@sics.se

Hi,

We've been having some problems with forwarded TGT.  Specifically, we
have a Windows KDC, a Windows client which obtains a forwardable TGT and
sends it to Heimdal, and Heimdal's gss_accept_sec_context() successfully
returns the delegated credential.  However, when that credential is
passed to gss_init_sec_context() to obtain ticket for other services,
the Windows KDC returns "KDC has no support for checksum type".

Some investigations seem to suggest that the client's TGT has encryption
type des-cbc-md5, and based on that, Heimdal uses rsa-md5-des for
checksum, which Windows clearly doesn't support.  I know setting
default_etype in krb.conf to des-cbc-crc would normally solve such
problem, but it doesn't seem to work in this case because we are not
requesting the TGT ourselves.

So has anyone run into this problem before?  Is my guess of the cause
correct?  Any suggestion?  Thanks!

Zi-Bin Yang
DECRU, INC

Follow-Ups:
- Re: trouble with forwarded tgt from windows client
  - From: Love <lha@stacken.kth.se>

Prev by Date: Tru64 Unix 4.0f and Heimdal v0.6 compile trouble.
Next by Date: Re: Tru64 Unix 4.0f and Heimdal v0.6 compile trouble.
Prev by thread: Re: Tru64 Unix 4.0f and Heimdal v0.6 compile trouble.
Next by thread: Re: trouble with forwarded tgt from windows client
Index(es):
- Date
- Thread