[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why is the server using DES but not RC4?

OK I tested it quickly and my interpretation was wrong. Once desonly is set 
with ktpass /desonly you can not reset it with ktpass. You have to use ADSI 
Edit (or delete/recreate the account). I tested on 2003 SP2.


"Achim Grolms" <achim@grolmsnet.de> wrote in message 
> On Thursday 28 June 2007 21:38, Markus Moeller wrote:
>> The default with the newer ktpass is RC4, so there is no need to use the
>> desonly nor crypto flag at all, only maybe if you need to switch 
>> behaviour.
> Sure.
> Florian Erfurth's problem was that he used the RC4 ktpass-configuration
> as described in <http://www.grolmsnet.de/kerbtut/> but run into the
> problem that his DC send DES servicetickets (instead of RC4).
> I suppose that's because he reused the account from his
> previous DES-experiments (that need the DESONLY setting).
> If the default behaviour of ktpass disables DES in every case-
> why does Florian run into that "KDC send DES problem"?
> An additional -DESONLY option in the RC4 ktpass would ensure
> that "DESONLY" is disabeled in *every case*.
> Is my thinking incorrect?
> Thank you,
> Achim