[cifs-protocol] How to determine if an account should use AES?

Bill Wesse billwe at microsoft.com
Mon Aug 3 07:16:33 MDT 2009


Good morning Andrew - I have created case SRX090803600034 to track our work against your request. One of my team colleagues will take ownership of this case and contact you shortly.

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, August 03, 2009 8:29 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: How to determine if an account should use AES?

G'day,

In Windows 2008 mode, we now generate AES keys for user and computer accounts.  The KDC will then issue tickets using those keys.

However, it seems to me that we should not do so for Windows XP and similar targets - ie, those that would not be able to decrypt AES keys.  

In traditional kerberos, you would manually set the encryption types for which you generated keys to the 'safe set' of commonly accepted types.
How, as a domain controller, should I know what encryption types are safe for a particular member server to accept (and for the DC to generate and store)?

Also, where should we return this information:  For example, should we return what encryption types the workstation supports in 2.2.1.3.11
NETLOGON_DOMAIN_INFO: SupportedEncTypes, or is this the encryption types supported by the domain?

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.


More information about the cifs-protocol mailing list