From 05c7822d0e5118df745685ab2f9b20fe07dcfb6c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 19 May 2009 23:17:49 +0000 Subject: [PATCH] When using keyed checksum types with TGS subkeys, Microsoft AD 2003 verifies the checksum using the subkey, whereas MIT and Heimdal verify it using the TGS session key. (RFC 4120 is actually silent on which is correct; RFC 4757 specifies the TGS session key.) To sidestep this interop issue, don't use keyed checksum types with RC4 keys without explicit configuration in krb5.conf. Using keyed checksum types with AES is fine since, experimentally, AD 2008 accepts checksums keyed with the TGS session key. ticket: 6490 status: open tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22356 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/send_tgs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 73980f2cf..97cd02bf7 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -68,6 +68,8 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, case ENCTYPE_DES_CBC_CRC: case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: cksumtype = context->kdc_req_sumtype; break; default: -- 2.26.2