Changing Key Types

For the strongest enterprise-wide security between the Security Servers and Clients, all principals must have 3DES keys using Normal (V5) salt.

To change a DES principal's key type to 3DES

If you are changing the key type for a service principal that has extracted keys, you must perform these steps on the host system where the service resides. Launch the remote administrator, kadmin_ui, and log on using a principal account with the required administrative permissions.

In the kadminl_ui window, choose the Principals tab, and select the principal's realm.
Find the principal using the List All or Search button.
Select the principal name from the List of Principals and click Edit.
The Principal Information window appears.
Select the Password tab.
Under the Key and Salt Types, select the primary and secondary key types and salt types. If the principal was formerly a DES principal, you may want to retain one key as DES and set the other key to 3DES.
Click OK. The Change Password window appears as a new password must be generated if the key or salt type is changed.
Note the following:
- If the principal is a user principal, enter a new password.
- If the principal is a service principal with an extracted key, select the check box to generate a random key.
Click OK to close the Change Password window.
If the principal is a user principal, inform the user of their new temporary password. At the next logon, the principal is required to change their password.
If the principal is a service principal, you must extract the new key for the principal. For more information on this procedure, refer to “Extracting Service Keys”.

Changing Key Types

Technical documentation

» Table of Contents

» Glossary

» Index

To change a DES principal's key type to 3DES