Windows Server - Windows 7 / Windows Vista kerberos differencies
Asked By Mirek Endys
02-Oct-09 09:53 AM
Hello,
I tried to find the answer of my question about differencies of the kerberos
in Win7 and Vista.
Why? I have problem with kerberos and iSeries Access software used for the
connection to the IBM/AS400 system
on the Vista, Windows 2003 Server, Windows XP i can use the kerberos without
problem. iSeries Access log me in immediately. But in Windows 7 the IBM
system says, that kerberos principals has not been found. But Im able to use
kerberos with the same user account from other systems. Where is the problem?
Thanks for help
Windows Server 2008 R2
(1)
Windows XP
(1)
Windows 2003 Server
(1)
Windows Vista
(1)
Windows 7
(1)
Pricipal
(1)
ISeries
(1)
Possibilties
(1)
Ricciopasticcio replied to Mirek Endys
Hi, this kb is about new implementation of kerberos
http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
Changes in Kerberos Authentication
Updated: March 9, 2009
This product evaluation topic for the IT professional describes the
cryptographic enhancements to Microsoft's implementation of Kerberos version
5 (v5) in Windows 7 and Windows Server 2008 R2.
Cryptographic support for Kerberos in Windows 7 and Windows Server 2008 R2
The following cipher suites are supported in Windows 7 and Windows Server
2008 R2:
??? AES256-CTS-HMAC-SHA1-96
??? AES128-CTS-HMAC-SHA1-96
??? RC4-HMAC
??? DES-CBC-MD5
??? DES-CBC-CRC
Both DES cipher suites are disabled by default in Windows 7.
Enabling DES encryption types for Kerberos
In Windows 7 and Windows Server 2008 R2, you must configure your computers
to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. These settings might
affect compatibility with client computers or services and applications in
your environment.
The Configure encryption types allowed for Kerberos policy setting is
located in Computer Configuration\Security Settings\Local Policies\Security
Options.
ECC support in Kerberos for smart card logon
In Windows 7 and Windows Server 2008 R2, Kerberos supports elliptic curve
cryptography (ECC) for smart card logon that uses X.509 certificates.
Although this change is not visible to end users, they will benefit from
stronger cryptography for their smart card logons. There is no configuration
required to obtain ECC support in Kerberos. However, your smart cards and
readers must support ECC.
with AS400 U have to use DES-CBC-MD5
Mirek Endys replied to Ricciopasticcio
It is not working.
I set the policy to use DES-CBC-MD5 (nothing else from the list of
possibilities), but iSeries Access still says, that Kerberos Pricipal has not
been found.
But thanks a lot... Any other idea?
Mirek
Michael Sword replied to Mirek Endys
Try enabling AES128_HMAC_SHA1
Mirek Endys replied to Michael Sword
I tried to check all possibilties but nothing helps.
Windows Server 2008, Intel Xenon 7500 series SQL Server 2008? Windows Server What challenges will the Intel Xeon 7500 series together with Windows Server 2008 R2 and SQL Server 2008 R2 help address for my business? Windows Server
Windows server 2008 registry value for MaxUserPort Windows Server What is the equalvilent registry value for MaxUserPort (which is considered in Windows Server 2003) under Windows Server 2008? Windows Server Discussions Windows Server (1) MaxUserPort (1) Vista (1) Windows (1) WS
Windows Server 2008 R2 Windows Server Windows Server 2008 R2 and Windows 7 share the same code? how is that possible when Windows 7
Functional Level Windows Server Can a domain that is built using purely Windows Server 2008 R2 DC's be rolled back to Windows Server 2008? No Recycle Bin. Windows Server Active Directory Discussions Windows Server 2008 R2 (1) Windows Server
sending mails in windows server 2008 Windows Server Hi Does windows server 2008 accepts outlook express?if yes where can i download it?if not what is the