Microsoft Windows 2000 Security Discussions
 
Windows Server 2008 R2
(1)
Windows XP
(1)
Windows 2003 Server
(1)
Windows Vista
(1)
Windows 7
(1)
Pricipal
(1)
ISeries
(1)
Possibilties
(1)

Windows 7 / Windows Vista kerberos differencies

Asked By Mirek Endys
02-Oct-09 09:53 AM
Reply
Hello,

I tried to find the answer of my question about differencies of the kerberos
in Win7 and Vista.
Why? I have problem with kerberos and iSeries Access software used for the
connection to the IBM/AS400 system

on the Vista, Windows 2003 Server, Windows XP i can use the kerberos without
problem. iSeries Access log me in immediately. But in Windows 7 the IBM
system says, that kerberos principals has not been found. But Im able to use
kerberos with the same user account from other systems. Where is the problem?

Thanks for help

Hi, this kb is about new implementation of kerberoshttp://technet.microsoft.

Ricciopasticcio replied to Mirek Endys
08-Oct-09 09:15 AM
Reply
Hi, this kb is about new implementation of kerberos

http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx

Changes in Kerberos Authentication
Updated: March 9, 2009
This product evaluation topic for the IT professional describes the
cryptographic enhancements to Microsoft's implementation of Kerberos version
5 (v5) in Windows 7 and Windows Server 2008 R2.
Cryptographic support for Kerberos in Windows 7 and Windows Server 2008 R2
The following cipher suites are supported in Windows 7 and Windows Server
2008 R2:
???	AES256-CTS-HMAC-SHA1-96
???	AES128-CTS-HMAC-SHA1-96
???	RC4-HMAC
???	DES-CBC-MD5
???	DES-CBC-CRC
Both DES cipher suites are disabled by default in Windows 7.
Enabling DES encryption types for Kerberos
In Windows 7 and Windows Server 2008 R2, you must configure your computers
to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. These settings might
affect compatibility with client computers or services and applications in
your environment.
The Configure encryption types allowed for Kerberos policy setting is
located in Computer Configuration\Security Settings\Local Policies\Security
Options.
ECC support in Kerberos for smart card logon
In Windows 7 and Windows Server 2008 R2, Kerberos supports elliptic curve
cryptography (ECC) for smart card logon that uses X.509 certificates.
Although this change is not visible to end users, they will benefit from
stronger cryptography for their smart card logons. There is no configuration
required to obtain ECC support in Kerberos. However, your smart cards and
readers must support ECC.

with AS400 U have to use DES-CBC-MD5

It is not working.

Mirek Endys replied to Ricciopasticcio
08-Oct-09 11:29 AM
Reply
It is not working.
I set the policy to use DES-CBC-MD5 (nothing else from the list of
possibilities), but iSeries Access still says, that Kerberos Pricipal has not
been found.

But thanks a lot... Any other idea?

Mirek

Try enabling AES128_HMAC_SHA1"Mirek Endys" wrote:

Michael Sword replied to Mirek Endys
20-Oct-09 12:55 PM
Reply
Try enabling AES128_HMAC_SHA1
I tried to check all possibilties but nothing helps."Michael Sword" wrote:
Mirek Endys replied to Michael Sword
01-Dec-09 08:01 AM
Reply
I tried to check all possibilties but nothing helps.
Post Question To EggHeadCafe