Re: [kitten] [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-03.txt
Benjamin Kaduk <kaduk@mit.edu> Wed, 21 June 2017 03:46 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8563D126C0F for <kitten@ietfa.amsl.com>; Tue, 20 Jun 2017 20:46:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SfPTtcN6Vm3 for <kitten@ietfa.amsl.com>; Tue, 20 Jun 2017 20:46:22 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF0E01204DA for <kitten@ietf.org>; Tue, 20 Jun 2017 20:46:21 -0700 (PDT)
X-AuditID: 12074423-645ff70000003130-70-5949ec0c1416
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 24.DE.12592.C0CE9495; Tue, 20 Jun 2017 23:46:20 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v5L3kJMe018949; Tue, 20 Jun 2017 23:46:20 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v5L3kFTc031577 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 20 Jun 2017 23:46:18 -0400
Date: Tue, 20 Jun 2017 22:46:15 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Martin Rex <mrex@sap.com>
Cc: kitten@ietf.org
Message-ID: <20170621034615.GH39245@kduck.kaduk.org>
References: <20170616040724.GO39245@kduck.kaduk.org> <20170619164331.0CB221A6BE@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170619164331.0CB221A6BE@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrcvzxjPSYOdhPYujm1exWPT+3sHs wOSxZMlPJo8pn7cyBjBFcdmkpOZklqUW6dslcGU8/faWpWCLaMWUzxdZGhinCXYxcnJICJhI nP17j6WLkYtDSGAxk8TeVWfZIJyNjBIrO6+xQjhXmSQmzbzFBNLCIqAqsfDhYVYQm01ARaKh +zIziC0iICsx7dobRhCbWUBYYvkakEmcHMICsRKnfnxnAbF5gda9WbsOLC4kkCbx/2wzG0Rc UOLkzCcsEL1aEjf+vQTaxQFkS0ss/8cBEuYUsJH4+/sXWLmogLLE38P3WCYwCsxC0j0LSfcs hO4FjMyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdM30cjNL9FJTSjcxgsKU3UV5B+PLPu9DjAIc jEo8vBHKnpFCrIllxZW5hxglOZiURHn9bwKF+JLyUyozEosz4otKc1KLDzFKcDArifDKxQHl eFMSK6tSi/JhUtIcLErivOIajRFCAumJJanZqakFqUUwWRkODiUJXubXQI2CRanpqRVpmTkl CGkmDk6Q4TxAw8PngAwvLkjMLc5Mh8ifYlSUEuetfQWUEABJZJTmwfWC0ohE9v6aV4ziQK8I 874CqeIBpiC47ldAg5mABr844gEyuCQRISXVwMg+dfbyIxybxeJkQg4u4RFmFr6UHyklNXVx RF9izvfAXdN4t0jqiEw4wqDt+0IlZf96u6gqhhzV95PkCww+mohmlp0837t9k1od/5s69RUm 3aqvpzL/rf6Sdjm38Ud1WqUm3/dWCTEV8YDQfb3h58WFVPVDtnxiaLr2l7dD702I47PtC3Wy lFiKMxINtZiLihMB1NYpyP4CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/MKb_HxHaYNSUaELomifpGNoifF4>
Subject: Re: [kitten] [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-03.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2017 03:46:23 -0000
On Mon, Jun 19, 2017 at 06:43:31PM +0200, Martin Rex wrote: > > I have always been wondering about the following issue about > Microsoft Kerberos and the RC4-enctype: Just to note explicitly: I am listed in the To: line of this message but am definitely not the right person to answer the questions here. > To be able to use AES enctypes with Microsoft Kerberos, not only > the client, the server and the domain controllers must be using > Vista or higher, but I assume that *also* Active Directory must > be running a Domain functional level 2008 or higher (rather than > domain functional level 2003). Such an assumption is plausible. > Can Active Directory store AES enctype longterm secrets of service accounts > (for 2-token Kerberos authentication) when the domain controllers > are Windows 2008, 2008R2 or maybe even 2012R2, but domain functional > level is still at Windows 2003? I don't know. > If not, is it documented anywhere that _after_ upgrading a windows > domain to functional level 2008+, and _before_ being able to use > AES enctypes with serice accounts, it will be necessary to > _manually_ _administratively_ set a new password (or the same password) > for each and every service account, otherwise only RC4-enctypes and > NTLM-authentication will work for that service account (unless storing > passwords with reversible encryption has been enabled for a service > account, I assume). Such a property is a natural consequence of a design that stores only the string2key'd keys and not the original passwords. (I think I heard vague rumors that very old AD DCs did in fact store actual user passwords, but cannot substantiate such rumors.) > > Kerberos with RC4 enctypes seemed to always have worked instantly after > upgrading Windows domains, but AES enctypes seem to have never worked. I suspect that what is going on is that RC4 always existed and is always supported, but AES was added later and so had backwards compatibility requirements that involved not breaking existing deployments, so you had to explicitly opt-in all parties to the exchange. It's hard to know for sure when the risk of breaking things has gone away and it's safe to enable the new feature by default. > > Does anyone know about the exact details, and why RC4-enctypes seem > to work so much better in Windows? > > (I'm not a real Kerberos user myself, but I've worked on a number of > support calls, and for some customers, administratively setting a > new password seemed to fix some of the Kerberos authentication issues, > and I am mainly guessing at potential issues here). Your guesses seem reasonable to me, but I'm also just guessing, myself. -Ben
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Benjamin Kaduk
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Jeffrey Altman
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Benjamin Kaduk
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Martin Rex
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Martin Rex
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Benjamin Kaduk
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Benjamin Kaduk
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Jeffrey Altman
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Michiko Short
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Martin Rex
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Benjamin Kaduk
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Greg Hudson
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Michael Jenkins
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Daniel Migault
- Re: [kitten] [Curdle] I-D Action: draft-ietf-curd… Benjamin Kaduk