Encryption Types Order in Kerberos
Things I don’t wish to forget the next time I need them. In a Kerberos
Realm with multiple encryption types available the KDC will use the
first type in the list that’s compatible with the client. So let’s say
you are adding encryption types to your KDC, of course you need to add
new keys to the
krbtgt/<REALM> principle. Once you do so check out
the list of keys. What will the KDC chose to use if things are in this
Key: vno 2, DES cbc mode with CRC-32, no salt Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 2, ArcFour with HMAC/md5, no salt Key: vno 1, DES cbc mode with CRC-32, no salt
You guested it,
des-cbc-crc! The weakest type. Even when the AES
encryption is compatible with the client.
This is where I began to bang my head on my desk. The order is, of
course, set when you use the
change_password command in kadmin or via
the kpasswd tool. The order is read from the
variable in your kdc.conf. So make sure the encryption types listed for
that variable are listed in the order of their strength.
Unfortunately, there’s no way to fix the order. You need to correct the
order in your kdc.conf file, restart the kadmin server, then use the
change_password command again (with
-keepold) to rekey the
krbtgt/<REALM> principle. Or use the kpasswd tool to update your
principle. Yes, the restart in there is required.