[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows 2003 SP1, cross-domain trust



On Thu, 29 Mar 2007, Björn Sandell wrote:

> I disabled everything but the des keys on the cross realm principal:
>
> Principal: krbtgt/NETTST.CHALMERS.SE@TEST.CHALMERS.SE
> Keytypes(salttype[(salt-value)]): des-cbc-md4(pw-salt), des-cbc-crc(pw-salt)
>
> It's working for XP clients but not for w2k client; though I suspect 
> that the w2k clients can't handle pkinit.

I had des-cbc-crc and arcfour-hmac-md5 keytypes.  I removed the 
arcfour-hmac and it started working.  That would seem to indicate that 
Windows 2003 doesn't do RC4-HMAC for the cross-realm principal.  I've 
tested direct logins to the DC and to W2K3 and XP clients and had no 
problems.  Thanks.


-Chris