Password Salting Methods
Is there a reference anywhere that outlines the different password
salting methods used by different KDCs?
AFAICT AD w/ RC4 doesn't actually use a salt. Heimdal seems to just
use the realm and principal name concatenated together without any
What does MIT do?
What does Windows 2008 w/ AES use?
Do the salt values change depending on the enctype?
I'm interested in knowing to what degree salts can be predicted given
only the information a client preparing to issue an AS-REQ would have.
Ultimately I'm trying to reduce ETYPE_INFO(2) discovery to improve
performance and get rid of annoying Windows "preauthentication failed"
event log errors.
Michael B Allen
PHP Active Directory SPNEGO SSO