1@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top 2@comment node-name, next, previous, up 3@chapter Windows 2000 compatability 4 5Windows 2000 (formerly known as Windows NT 5) from Microsoft implements 6Kerberos 5. Their implementation, however, has some quirks, 7peculiarities, and bugs. This chapter is a short summary of the things 8that we have found out while trying to test Heimdal against Windows 92000. Another big problem with the Kerberos implementation in Windows 102000 is the almost complete lack of documentation. 11 12This information should apply to Heimdal @value{VERSION} and Windows 132000 RC1. It's of course subject all the time and mostly consists of 14our not so inspired guesses. Hopefully it's still somewhat useful. 15 16@menu 17* Encryption types:: 18* Authorization data:: 19@end menu 20 21@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability 22@comment node-name, next, previous, up 23@section Encryption types 24 25Windows 2000 supports both the standard DES encryptions (des-cbc-crc and 26des-cbc-md5) and its own proprietary encryption that is based on md4 and 27rc4 and which you cannot get hold of how it works with a NDA. To enable 28a given principal to use DES, it needs to have DES keys in the database. 29To do this, you need to enable DES keys for the particular principal 30with the user administration tool and then change the password. 31 32@node Authorization data, , Encryption types, Windows 2000 compatability 33@comment node-name, next, previous, up 34@section Authorization data 35 36The Windows 2000 KDC also adds extra authorization data in tickets. 37It is at this point unclear what triggers it to do this. The format of 38this data is unknown and according to Microsoft, subject to change. A 39simple way of getting hold of the data to be able to understand it 40better is described here. 41 42@enumerate 43@item Find the client example on using the SSPI in the SDK documentation. 44@item Change ``AuthSamp'' in the source code to lowercase. 45@item Build the program. 46@item Add the ``authsamp'' principal with a known password to the 47database. Make sure it has a DES key. 48@item Run @kbd{ktutil add} to add the key for that principal to a 49keytab. 50@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp 51--dump-auth=file} where file is an appropriate file. 52@item It should authenticate and dump for you the authorization data in 53the file. 54@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for 55analyzing the data. 56@end enumerate 57 58