It could be the new AD server is setup to be backward compatible meaning
it use RC4 despite being able to use AES. I suggest you crate an additional
keytab entry for RC4. How did you create the keytab ?
Markus
"Ludovit Koren" wrote in message news:86mw4hbl56.fsf@xxxxxxxxx...
Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> writes:
> Hi Ludovit,
> Firstly, these lines are contradictory
> permitted_enctypes = aes128-cts-hmac-sha1-96
> allow_weak_crypto = true
> weak crypto is des and permitted is aes. Do you use a mixed AD
> environment ( 2003/2008 ) ? 2003 does not support aes.
Hello,
the AD cluster is due to be upgraded. I think the old is 2003 and new is
2010(?). I am trying to authenticate against new one, I got the keytab
from it with the following:
# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:
Vno Type Principal Aliases
5 aes128-cts-hmac-sha1-96 HTTP/proxy.mdpt.local@MDPT.LOCAL
I commented out allow_weak_crypto. The result is the same.
lk
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
