Windows 7 / Windows Vista kerberos differencies

M

Mirek Endys

Hello,

I tried to find the answer of my question about differencies of the kerberos
in Win7 and Vista.
Why? I have problem with kerberos and iSeries Access software used for the
connection to the IBM/AS400 system

on the Vista, Windows 2003 Server, Windows XP i can use the kerberos without
problem. iSeries Access log me in immediately. But in Windows 7 the IBM
system says, that kerberos principals has not been found. But Im able to use
kerberos with the same user account from other systems. Where is the problem?

Thanks for help
 
R

Ricciopasticcio

Hi, this kb is about new implementation of kerberos

http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx

Changes in Kerberos Authentication
Updated: March 9, 2009
This product evaluation topic for the IT professional describes the
cryptographic enhancements to Microsoft's implementation of Kerberos version
5 (v5) in Windows 7 and Windows Server 2008 R2.
Cryptographic support for Kerberos in Windows 7 and Windows Server 2008 R2
The following cipher suites are supported in Windows 7 and Windows Server
2008 R2:
• AES256-CTS-HMAC-SHA1-96
• AES128-CTS-HMAC-SHA1-96
• RC4-HMAC
• DES-CBC-MD5
• DES-CBC-CRC
Both DES cipher suites are disabled by default in Windows 7.
Enabling DES encryption types for Kerberos
In Windows 7 and Windows Server 2008 R2, you must configure your computers
to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. These settings might
affect compatibility with client computers or services and applications in
your environment.
The Configure encryption types allowed for Kerberos policy setting is
located in Computer Configuration\Security Settings\Local Policies\Security
Options.
ECC support in Kerberos for smart card logon
In Windows 7 and Windows Server 2008 R2, Kerberos supports elliptic curve
cryptography (ECC) for smart card logon that uses X.509 certificates.
Although this change is not visible to end users, they will benefit from
stronger cryptography for their smart card logons. There is no configuration
required to obtain ECC support in Kerberos. However, your smart cards and
readers must support ECC.

with AS400 U have to use DES-CBC-MD5
 
M

Mirek Endys

It is not working.
I set the policy to use DES-CBC-MD5 (nothing else from the list of
possibilities), but iSeries Access still says, that Kerberos Pricipal has not
been found.

But thanks a lot... Any other idea?

Mirek
 
M

Michael Sword

Try enabling AES128_HMAC_SHA1

Mirek Endys said:
It is not working.
I set the policy to use DES-CBC-MD5 (nothing else from the list of
possibilities), but iSeries Access still says, that Kerberos Pricipal has not
been found.

But thanks a lot... Any other idea?

Mirek
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top