DES Versus 3DES Key Type Settings

In the processes outlined in the section “Authentication Process”, if the user principal and the service principal do not use the same key type, the process continues as described.

The Kerberos server acts as the only trusted party, and the client or the service does not accept a message encrypted by the client or the service key. Both the client application and the service share a secret key only with the server.

The authenticator data that the service and client encrypt or decrypt is encrypted in session keys. The server sends the required session keys to the client and service in packets that are encrypted with their respective keys. The Kerberos server checks the key type settings for the user principals and service principals and determines the most secure encryption allowed for the session key. If the user principals and service principals have a 3DES key stored in the database, the session key type that is returned is of type 3DES. If only one has a 3DES key and the other has a DES key, then the session key that is returned is of type DES.

The server never returns a session key in the service ticket packet that uses stronger encryption than the session key included with a TGT packet. If a user principal has both 3DES and DES keys and uses the DES key to obtain a TGT, all service tickets obtained using this TGT contain DES session keys.

	IMPORTANT: The krbtgt/<REALM NAME> is the ticket-granting principal. This is a reserved principal that is automatically created when you add a realm to the database. You must assign a key type for the krbtgt/<REALM NAME> principal or the default key, issued by the Kerberos server, uses the 3DES encryption type.