Forum Discussion
NimbostratusQuestion over Kerberos AAA Keytab Encryption type (Client Side Kerb SSO access policy)
Hello!
I've got a query for someone familiar with APM and Kerberos encryption types, and SPN Keytabs.
I've got a few client side Kerberos SSO APM Access Policies, and I have a question about the keytabs I'm using.
We're planning an Active Directory upgrade, which will change the Kerberos tickets issued to our mostly Windows client from RC4 to AES. We're going from AD 2003 to AD 2012. My Kerberos SSO hinges on the Keytabs I have loaded onto the APM for each SPN in AD. They were all created using 'crypto RC4-HMAC-NT'.
When my KDC upgrades to 2012, which will result in all my client tickets being AES, will the keytab need to be upgraded to correspond? Or will it continue working as it is?
My understanding is that this keytab is used to decrypt incoming kerberos tickets, to confirm their validity. But does it need to be encrypted with the same encryption type used on the incoming tickets? Or am I worrying unnecessarily (likely).
All comments and thought gratefully received!
Thanks,
Gavin Connell-Otten
3 Replies
Gavin_Connell-OThanks Kevin. That's interesting. So in that environment (Win7+Win2012) are your issued kerb tickets also RC4_HMAC?
- Kevin_Stewart
Employee
So in that environment (Win7+Win2012) are your issued kerb tickets also RC4_HMAC?
Yes. I didn't take a screenshot of that, but yes it apparently does.
- Gavin_Connell-O
Odd! Perhaps there is some KDS/DC side configuration to force AES. Either way, I appreciate your help Kevin, thanks again :)
