[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is the server using DES but not RC4?
Iy can be also set for computeraccounts if you use ADSI Edit you can at the
the useraccountcontrol value. Each bit has a meaning as described here
http://support.microsoft.com/default.aspx/kb/305144
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the
UserAccountControl attribute. For information about how to set the
permission programmatically, see the "Property flag descriptions" section.
0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
TRUSTED_FOR_DELEGATION 0x80000 524288
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216
You can change it with ADSIEdit or ktpass +DESONLY or ktpass -DESONLY
C:\Temp>ktpass /?
Command line options:
---------------------most useful args
[- /] out : Keytab to produce
[- /] princ : Principal name (user@REALM)
[- /] pass : password to use
use "*" to prompt for password.
[- +] rndPass : ... or use +rndPass to generate a random password
[- /] minPass : minimum length for random password (def:15)
[- /] maxPass : maximum length for random password (def:256)
---------------------less useful stuff
[- /] mapuser : map princ (above) to this user account (default: don't)
[- /] mapOp : how to set the mapping attribute (default: add it)
[- /] mapOp : is one of:
[- /] mapOp : add : add value (default)
[- /] mapOp : set : set value
[- +] DesOnly : Set account for des-only encryption (default:don't)
[- /] in : Keytab to read/digest
---------------------options for key generation
[- /] crypto : Cryptosystem to use
[- /] crypto : is one of:
[- /] crypto : DES-CBC-CRC : for compatibility
[- /] crypto : DES-CBC-MD5 : for compatibliity
[- /] crypto : RC4-HMAC-NT : default 128-bit encryption
[- /] ptype : principal type in question
[- /] ptype : is one of:
[- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /] ptype : KRB5_NT_SRV_INST : user service instance
[- /] ptype : KRB5_NT_SRV_HST : host service instance
[- /] kvno : Override Key Version Number
Default: query DC for kvno. Use /kvno 1 for Win2K
compat.
[- +] Answer : +Answer answers YES to prompts. -Answer answers NO.
[- /] Target : Which DC to use. Default:detect
---------------------options for trust attributes (Windows Server 2003 Sp1
Only
[- /] MitRealmName : MIT Realm which we want to enable RC4 trust on.
[- /] TrustEncryp : Trust Encryption to use; DES is default
[- /] TrustEncryp : is one of:
[- /] TrustEncryp : RC4 : RC4 Realm Trusts (default)
[- /] TrustEncryp : DES : go back to DES
See Achim Grolms tutorial for a link to the latest ktpass.
Regards
Markus
----- Original Message -----
From: "Florian Erfurth" <floh-erfurth@arcor.de>
To: <heimdal-discuss@sics.se>
Sent: Thursday, June 28, 2007 6:26 PM
Subject: Re: Why is the server using DES but not RC4?
> Achim Grolms wrote:
>
>> On Tuesday 26 June 2007 16:33, Florian Erfurth wrote:
>>
>> I am not sure.
>> Please check the corresponding useraccount "bsdflohkerberos$" in AD
>> (the account you have used in ktpass) for
>> the "DES-only setting" in AD.
> The account bsdflohkerberos is not an useraccount but computeraccount.
>
> Thank you.
> Floh
>
>