[OpenAFS] Kerberos + Windows

Ben Huntsman ben@huntsmans.net
Wed, 24 Aug 2022 16:53:11 +0000 

--_000_MWHPR0701MB367402C828251E2A551932D5A7739MWHPR0701MB3674_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi there!
   Thanks for the replies!  Removing the encryption types lines helped, and=
 I got further.  This is MIT Kerberos.

   Here's some configuration info:

   Let's say my cell is going to be mydomain.com.  My Active Directory is a=
d.mydomain.com, and my AFS service account is srvAFS.  Here's my krb5.conf:

[libdefaults]
        default_realm =3D AD.MYDOMAIN.COM
        default_keytab_name =3D FILE:/etc/krb5/krb5.keytab
        dns_lookup_realm =3D true
        dns_lookup_kdc =3D true
        forwardable =3D true

[realms]
        AD.MYDOMAIN.COM =3D {
                kdc =3D ad.mydomain.com:88
                admin_server =3D ad.mydomain.com:749
                default_domain =3D ad.mydomain.com
        }

[domain_realm]
        .ad.mydomain.com =3D AD.MYDOMAIN.COM
        ad.mydomain.com =3D AD.MYDOMAIN.COM

[logging]
        kdc =3D FILE:/var/krb5/log/krb5kdc.log
        admin_server =3D FILE:/var/krb5/log/kadmin.log
        kadmin_local =3D FILE:/var/krb5/log/kadmin_local.log
        default =3D FILE:/var/krb5/log/krb5lib.log


I then created the service account srvAFS, and extracted a keytab on the Do=
main Controller using the following command:

ktpass /princ afs/mydomain.com@AD.MYDOMAIN.COM /mapuser srvAFS /mapop add /=
out rxkad.keytab +rndpass /crypto all /ptype KRB5_NT_PRINCIPAL +dumpsalt

I verified that the account did not have the "Use only Kerberos DES encrypt=
ion types for this account" box checked.  I then copied the rxkad.keytab ov=
er to the UNIX host.  I built OpenAFS with a prefix of /opt/openafs, so I p=
ut the keytab in /opt/openafs/etc/openafs/server

I used ktutil to delete the two des entries in the keytab.  ktutil indicate=
s that the KVNO is 5.

I then added the keys to OpenAFS using the command:

asetkey add rxkad_krb5 5 17 /opt/openafs/etc/openafs/server/rxkad.keytab af=
s/mydomain.com
asetkey add rxkad_krb5 5 18 /opt/openafs/etc/openafs/server/rxkad.keytab af=
s/mydomain.com


Now I add an AD user to OpenAFS:

pts createuser -name adUser -id 204 -localauth
pts adduser adUser system:administrators -localauth


And I try to authenticate:

kinit adUser

That gives me a password prompt, and it's accepted.  Then I run:

aklog

Also accepted:

# tokens

Tokens held by the Cache Manager:

User's (AFS ID 204) rxkad tokens for mydomain.com [Expires Aug 24 18:27]
   --End of list--


But things aren't quite working:

# ls /afs
afs: Tokens for user of AFS id 204 for cell mydomain.com are discarded (rxk=
ad error=3D19270408, server 192.168.0.114)
ls: /afs: The file access permissions do not allow the specified action.

# kvno adUser@AD.MYDOMAIN.COM
kvno: Server not found in Kerberos database while getting credentials for a=
dUser@AD.MYDOMAIN.COM

# vos listvol myserver
Could not fetch the list of partitions from the server
rxk: ticket contained unknown key version number
Error in vos listvol command.
rxk: ticket contained unknown key version number

# kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab
kinit: Cannot determine realm for host (principal host/myserver.mydomain.co=
m@)
# kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab afs/mydomain.com@A=
D.MYDOMAIN.COM
# kvno afs/mydomain.com@AD.MYDOMAIN.COM
afs/mydomain.com@AD.MYDOMAIN.COM: kvno =3D 5


Did I miss something, or make a mistake along the way somewhere?

Thank you so much!!

-Ben


________________________________
From: Jeffrey E Altman
Sent: Wednesday, August 24, 2022 5:02 AM
To: Ben Huntsman; openafs-info@openafs.org
Subject: Re: [OpenAFS] Kerberos + Windows

On 8/23/2022 9:24 PM, Ben Huntsman (ben@huntsmans.net<mailto:ben@huntsmans.=
net>) wrote:
Hi guys-
   Does anyone have a working krb5.conf that works with Windows 2012 R2 or =
newer?

   The docs do show how to set up using the new scheme but assume Kerberos,=
 not AD.  I've tried a few different things but I can't seem to get default=
_tkt_enctypes and default_tks_enctypes set correctly.


Ben,


A krb5.conf is configuration for an MIT or Heimdal Kerberos client but not =
for a Microsoft Windows Kerberos client.

Please clarify which Kerberos client implementation you are configuring.


I agree with Ken that default_tkt_enctypes and default_tks_enctypes should =
never be configured on clients.


Jeffrey Altman


--_000_MWHPR0701MB367402C828251E2A551932D5A7739MWHPR0701MB3674_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
Hi there!</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
&nbsp; &nbsp;Thanks for the replies!&nbsp; Removing the encryption types li=
nes helped, and I got further.&nbsp; This is MIT Kerberos.&nbsp;&nbsp;</div=
>
<div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
&nbsp; &nbsp;Here's some configuration info:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
&nbsp; &nbsp;Let's say my cell is going to be mydomain.com.&nbsp; My Active=
 Directory is ad.mydomain.com, and my AFS service account is srvAFS.&nbsp; =
Here's my krb5.conf:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
[libdefaults]
<div>&nbsp; &nbsp; &nbsp; &nbsp; default_realm =3D AD.MYDOMAIN.COM</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; default_keytab_name =3D FILE:/etc/krb5/krb=
5.keytab</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; dns_lookup_realm =3D true</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; dns_lookup_kdc =3D true</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; forwardable =3D true</div>
<div><br>
</div>
<div>[realms]</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; AD.MYDOMAIN.COM =3D {</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; kdc =3D ad.myd=
omain.com:88</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; admin_server =
=3D ad.mydomain.com:749</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; default_domain=
 =3D ad.mydomain.com</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; }</div>
<div><br>
</div>
<div>[domain_realm]</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; .ad.mydomain.com =3D AD.MYDOMAIN.COM</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; ad.mydomain.com =3D AD.MYDOMAIN.COM</div>
<div><br>
</div>
<div>[logging]</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; kdc =3D FILE:/var/krb5/log/krb5kdc.log</di=
v>
<div>&nbsp; &nbsp; &nbsp; &nbsp; admin_server =3D FILE:/var/krb5/log/kadmin=
.log</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; kadmin_local =3D FILE:/var/krb5/log/kadmin=
_local.log</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; default =3D FILE:/var/krb5/log/krb5lib.log=
</div>
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I then created the service account srvAFS, and extracted a keytab on the Do=
main Controller using the following command:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
ktpass /princ afs/mydomain.com@AD.MYDOMAIN.COM /mapuser srvAFS /mapop add /=
out rxkad.keytab +rndpass /crypto all /ptype KRB5_NT_PRINCIPAL +dumpsalt<br=
>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I verified that the account did not have the &quot;Use only Kerberos DES en=
cryption types for this account&quot; box checked.&nbsp; I then copied the =
rxkad.keytab over to the UNIX host.&nbsp; I built OpenAFS with a prefix of =
/opt/openafs, so I put the keytab in /opt/openafs/etc/openafs/server</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I used ktutil to delete the two des entries in the keytab.&nbsp; ktutil ind=
icates that the KVNO is 5.</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I then added the keys to OpenAFS using the command:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
asetkey add rxkad_krb5 5 17 /opt/openafs/etc/openafs/server/rxkad.keytab af=
s/mydomain.com<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
asetkey add rxkad_krb5 5 18 /opt/openafs/etc/openafs/server/rxkad.keytab af=
s/mydomain.com<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Now I add an AD user to OpenAFS:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
pts createuser -name adUser -id 204 -localauth<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
pts adduser adUser system:administrators -localauth<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
And I try to authenticate:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
kinit adUser</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
That gives me a password prompt, and it's accepted.&nbsp; Then I run:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
aklog</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Also accepted:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
# tokens</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Tokens held by the Cache Manager:
<div><br>
</div>
<div>User's (AFS ID 204) rxkad tokens for mydomain.com [Expires Aug 24 18:2=
7]</div>
<div>&nbsp; &nbsp;--End of list--</div>
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
But things aren't quite working:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
# ls /afs
<div>afs: Tokens for user of AFS id 204 for cell mydomain.com are discarded=
 (rxkad error=3D19270408, server 192.168.0.114)</div>
<div>ls: /afs: The file access permissions do not allow the specified actio=
n.</div>
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
# kvno adUser@AD.MYDOMAIN.COM<br>
kvno: Server not found in Kerberos database while getting credentials for a=
dUser@AD.MYDOMAIN.COM<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
# vos listvol myserver
<div>Could not fetch the list of partitions from the server</div>
<div>rxk: ticket contained unknown key version number</div>
<div>Error in vos listvol command.</div>
<div>rxk: ticket contained unknown key version number</div>
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
# kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab
<div>kinit: Cannot determine realm for host (principal host/myserver.mydoma=
in.com@)</div>
<div># kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab afs/mydomain.=
com@AD.MYDOMAIN.COM</div>
<div># kvno afs/mydomain.com@AD.MYDOMAIN.COM</div>
<div>afs/mydomain.com@AD.MYDOMAIN.COM: kvno =3D 5</div>
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Did I miss something, or make a mistake along the way somewhere?</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thank you so much!!</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
-Ben</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0);">
<br>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%;">
<b>From:</b> Jeffrey E Altman<br>
<b>Sent:</b> Wednesday, August 24, 2022 5:02 AM<br>
<b>To:</b> Ben Huntsman; openafs-info@openafs.org<br>
<b>Subject:</b> Re: [OpenAFS] Kerberos + Windows
<div><br>
</div>
</div>
<div class=3D"rps_80c">
<div>
<div class=3D"x_moz-cite-prefix">On 8/23/2022 9:24 PM, Ben Huntsman (<a hre=
f=3D"mailto:ben@huntsmans.net" target=3D"_blank" rel=3D"noopener noreferrer=
" data-auth=3D"NotApplicable" class=3D"x_moz-txt-link-abbreviated">ben@hunt=
smans.net</a>) wrote:<br>
</div>
<blockquote type=3D"cite">
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hi guys-</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
&nbsp; &nbsp;Does anyone have a working krb5.conf that works with Windows 2=
012 R2 or newer?</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
&nbsp; &nbsp;The docs do show how to set up using the new scheme but assume=
 Kerberos, not AD.&nbsp; I've tried a few different things but I can't seem=
 to get&nbsp;default_tkt_enctypes and&nbsp;default_tks_enctypes set correct=
ly.</div>
<br>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">Ben,</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">A krb5.conf is configurat=
ion for an MIT or Heimdal Kerberos client but not for a Microsoft Windows K=
erberos client.</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">Please clarify which Kerb=
eros client implementation you are configuring.</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">I agree with Ken that def=
ault_tkt_enctypes and&nbsp;default_tks_enctypes should never be configured =
on clients.</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">Jeffrey Altman</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
</div>
</div>
</div>
</body>
</html>

--_000_MWHPR0701MB367402C828251E2A551932D5A7739MWHPR0701MB3674_--