It could be the new AD server is setup to be backward compatible meaning it use RC4 despite being able to use AES. I suggest you crate an additional keytab entry for RC4. How did you create the keytab ?

Markus


"Ludovit Koren"  wrote in message news:86mw4hbl56....@gmail.com...

Markus Moeller <hua...@moeller.plus.com> writes:

   > Hi Ludovit,
   >  Firstly, these lines are contradictory

   > permitted_enctypes = aes128-cts-hmac-sha1-96
   > allow_weak_crypto = true

   > weak crypto is des and permitted is aes.  Do you use a mixed AD
   > environment ( 2003/2008 )  ?  2003 does not support aes.

Hello,

the AD cluster is due to be upgraded. I think the old is 2003 and new is
2010(?). I am trying to authenticate against new one, I got the keytab
from it with the following:

# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type                     Principal                         Aliases
 5  aes128-cts-hmac-sha1-96  HTTP/proxy.mdpt.local@MDPT.LOCAL

I commented out allow_weak_crypto. The result is the same.


lk
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to