1@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top 2@comment node-name, next, previous, up 3@chapter Windows 2000 compatability 4 5Windows 2000 (formerly known as Windows NT 5) from Microsoft implements 6Kerberos 5. Their implementation, however, has some quirks, 7peculiarities, and bugs. This chapter is a short summary of the things 8that we have found out while trying to test Heimdal against Windows 92000. Another big problem with the Kerberos implementation in Windows 102000 is the almost complete lack of documentation. 11 12This information should apply to Heimdal @value{VERSION} and Windows 132000 RC1. It's of course subject all the time and mostly consists of 14our not so inspired guesses. Hopefully it's still somewhat useful. 15 16@menu 17* Encryption types:: 18* Authorization data:: 19@end menu 20 21@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability 22@comment node-name, next, previous, up 23@section Encryption types 24 25Windows 2000 supports both the standard DES encryptions (des-cbc-crc and 26des-cbc-md5) and its own proprietary encryption that is based on md4 and 27rc4 and which is supposed to be described in 28draft-brezak-win2k-krb-rc4-hmac-01.txt. To enable a given principal to 29use DES, it needs to have DES keys in the database. To do this, you 30need to enable DES keys for the particular principal with the user 31administration tool and then change the password. 32 33@node Authorization data, , Encryption types, Windows 2000 compatability 34@comment node-name, next, previous, up 35@section Authorization data 36 37The Windows 2000 KDC also adds extra authorization data in tickets. 38It is at this point unclear what triggers it to do this. The format of 39this data is unknown and according to Microsoft, subject to change. A 40simple way of getting hold of the data to be able to understand it 41better is described here. 42 43@enumerate 44@item Find the client example on using the SSPI in the SDK documentation. 45@item Change ``AuthSamp'' in the source code to lowercase. 46@item Build the program. 47@item Add the ``authsamp'' principal with a known password to the 48database. Make sure it has a DES key. 49@item Run @kbd{ktutil add} to add the key for that principal to a 50keytab. 51@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp 52--dump-auth=file} where file is an appropriate file. 53@item It should authenticate and dump for you the authorization data in 54the file. 55@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for 56analyzing the data. 57@end enumerate 58 59