[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why is the server using DES but not RC4?

To: heimdal-discuss@sics.se
Subject: Re: Why is the server using DES but not RC4?
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Fri, 29 Jun 2007 00:34:54 +0100
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <f5r893$n3a$1@sea.gmane.org> <200706282103.40125.achim@grolmsnet.de> <f612p7$911$1@sea.gmane.org> <200706282350.05892.achim@grolmsnet.de>
Reply-To: heimdal-discuss@sics.se, "Markus Moeller" <huaraz@moeller.plus.com>
Sender: news <news@sea.gmane.org>

OK I tested it quickly and my interpretation was wrong. Once desonly is set 
with ktpass /desonly you can not reset it with ktpass. You have to use ADSI 
Edit (or delete/recreate the account). I tested on 2003 SP2.

Sorry
Markus

"Achim Grolms" <achim@grolmsnet.de> wrote in message 
200706282350.05892.achim@grolmsnet.de">news:200706282350.05892.achim@grolmsnet.de...
> On Thursday 28 June 2007 21:38, Markus Moeller wrote:
>> The default with the newer ktpass is RC4, so there is no need to use the
>> desonly nor crypto flag at all, only maybe if you need to switch 
>> behaviour.
>
> Sure.
> Florian Erfurth's problem was that he used the RC4 ktpass-configuration
> as described in <http://www.grolmsnet.de/kerbtut/> but run into the
> problem that his DC send DES servicetickets (instead of RC4).
> I suppose that's because he reused the account from his
> previous DES-experiments (that need the DESONLY setting).
> If the default behaviour of ktpass disables DES in every case-
> why does Florian run into that "KDC send DES problem"?
> An additional -DESONLY option in the RC4 ktpass would ensure
> that "DESONLY" is disabeled in *every case*.
>
> Is my thinking incorrect?
>
> Thank you,
> Achim
>

References:
- Why is the server using DES but not RC4?
  - From: Florian Erfurth <floh-erfurth@arcor.de>
- Re: Why is the server using DES but not RC4?
  - From: Achim Grolms <achim@grolmsnet.de>
- Re: Why is the server using DES but not RC4?
  - From: "Markus Moeller" <huaraz@moeller.plus.com>
- Re: Why is the server using DES but not RC4?
  - From: Achim Grolms <achim@grolmsnet.de>

Prev by Date: Re: Why is the server using DES but not RC4?
Next by Date: Re: Why is the server using DES but not RC4?
Prev by thread: Re: Why is the server using DES but not RC4?
Next by thread: Re: Why is the server using DES but not RC4?
Index(es):
- Date
- Thread