[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows 2003 SP1, cross-domain trust

To: <heimdal-discuss@sics.se>, "Chris Stromsoe" <cbs@cts.ucla.edu>
Subject: Re: Windows 2003 SP1, cross-domain trust
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Thu, 29 Mar 2007 22:10:00 +0100
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <Pine.LNX.4.64.0703282318490.10031@potato.cts.ucla.edu> <20070329102102.a6381525.biorn@chalmers.se> <Pine.LNX.4.64.0703290206220.10031@potato.cts.ucla.edu>
Reply-To: heimdal-discuss@sics.se, "Markus Moeller" <huaraz@moeller.plus.com>

Did you use ktpass /MITRealmName HEIMDALREAM.COM /trustencryp rc4 on the DC 
to set the trust to rc4 ?

Markus

----- Original Message ----- 
From: "Chris Stromsoe" <cbs@cts.ucla.edu>
To: <heimdal-discuss@sics.se>; "Björn Sandell" <biorn@chalmers.se>
Sent: Thursday, March 29, 2007 9:49 PM
Subject: Re: Windows 2003 SP1, cross-domain trust

On Thu, 29 Mar 2007, Björn Sandell wrote:

> I disabled everything but the des keys on the cross realm principal:
>
> Principal: krbtgt/NETTST.CHALMERS.SE@TEST.CHALMERS.SE
> Keytypes(salttype[(salt-value)]): des-cbc-md4(pw-salt), 
> des-cbc-crc(pw-salt)
>
> It's working for XP clients but not for w2k client; though I suspect
> that the w2k clients can't handle pkinit.

I had des-cbc-crc and arcfour-hmac-md5 keytypes.  I removed the
arcfour-hmac and it started working.  That would seem to indicate that
Windows 2003 doesn't do RC4-HMAC for the cross-realm principal.  I've
tested direct logins to the DC and to W2K3 and XP clients and had no
problems.  Thanks.

-Chris

Follow-Ups:
- Re: Windows 2003 SP1, cross-domain trust
  - From: Chris Stromsoe <cbs@cts.ucla.edu>

References:
- Windows 2003 SP1, cross-domain trust
  - From: Chris Stromsoe <cbs@cts.ucla.edu>
- Re: Windows 2003 SP1, cross-domain trust
  - From: Björn Sandell <biorn@chalmers.se>
- Re: Windows 2003 SP1, cross-domain trust
  - From: Chris Stromsoe <cbs@cts.ucla.edu>

Prev by Date: Re: Windows 2003 SP1, cross-domain trust
Next by Date: Re: Windows 2003 SP1, cross-domain trust
Prev by thread: Re: Windows 2003 SP1, cross-domain trust
Next by thread: Re: Windows 2003 SP1, cross-domain trust
Index(es):
- Date
- Thread