[cifs-protocol] How to determine if an account should use AES?

Sebastian Canevari Sebastian.Canevari at microsoft.com
Fri Aug 14 12:40:27 MDT 2009 

Hi Andrew,

I've been investigating this and I'm still discussing with the product group what would be the best way to better detail this process.

As explained in the document, the KDC will rely on the AD property msDS-SupportedEncryptionTypes. 
Now, if the property is not populated by the server or service, then the KDC will default to RC4 which is the legacy type.

With respect to the NETLOGON_DOMAIN_INFO, Matthieu is working with Obaid on that section and I believe Obaid is sending him his response shortly.

Please let me know if you need further assistance.

Thanks and regards,

Sebastian

Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, August 03, 2009 7:29 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: How to determine if an account should use AES?

G'day,

In Windows 2008 mode, we now generate AES keys for user and computer accounts.  The KDC will then issue tickets using those keys.

However, it seems to me that we should not do so for Windows XP and similar targets - ie, those that would not be able to decrypt AES keys.  

In traditional kerberos, you would manually set the encryption types for which you generated keys to the 'safe set' of commonly accepted types.
How, as a domain controller, should I know what encryption types are safe for a particular member server to accept (and for the DC to generate and store)?

Also, where should we return this information:  For example, should we return what encryption types the workstation supports in 2.2.1.3.11
NETLOGON_DOMAIN_INFO: SupportedEncTypes, or is this the encryption types supported by the domain?

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list