win2k.texi revision 55682 
1@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top
2@comment  node-name,  next,  previous,  up
3@chapter Windows 2000 compatability
4
5Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
6Kerberos 5.  Their implementation, however, has some quirks,
7peculiarities, and bugs.  This chapter is a short summary of the things
8that we have found out while trying to test Heimdal against Windows
92000.  Another big problem with the Kerberos implementation in Windows
102000 is the almost complete lack of documentation.
11
12This information should apply to Heimdal @value{VERSION} and Windows
132000 RC1.  It's of course subject all the time and mostly consists of
14our not so inspired guesses.  Hopefully it's still somewhat useful.
15
16@menu
17* Encryption types::            
18* Authorization data::          
19@end menu
20
21@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability
22@comment  node-name,  next,  previous,  up
23@section Encryption types
24
25Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
26des-cbc-md5) and its own proprietary encryption that is based on md4 and
27rc4 and which you cannot get hold of how it works with a NDA.  To enable
28a given principal to use DES, it needs to have DES keys in the database.
29To do this, you need to enable DES keys for the particular principal
30with the user administration tool and then change the password.
31
32@node Authorization data,  , Encryption types, Windows 2000 compatability
33@comment  node-name,  next,  previous,  up
34@section Authorization data
35
36The Windows 2000 KDC also adds extra authorization data in tickets.
37It is at this point unclear what triggers it to do this.  The format of
38this data is unknown and according to Microsoft, subject to change.  A
39simple way of getting hold of the data to be able to understand it
40better is described here.
41
42@enumerate
43@item Find the client example on using the SSPI in the SDK documentation.
44@item Change ``AuthSamp'' in the source code to lowercase.
45@item Build the program.
46@item Add the ``authsamp'' principal with a known password to the
47database.  Make sure it has a DES key.
48@item Run @kbd{ktutil add} to add the key for that principal to a
49keytab.
50@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
51--dump-auth=file} where file is an appropriate file.
52@item It should authenticate and dump for you the authorization data in
53the file.
54@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
55analyzing the data.
56@end enumerate
57
58