Dear all,

some algorithms got a bad reputation over lasts months and years. I am no algorithm expert but do some research on recommendations, standards and regulations to give some guidance to our organization.

So I learnt from TLS discussions that DES, MD5 and RC4 are to be considered broken.

What about Kerberos/SPNego? Do we have to consider RC4 and DES as broken for Kerberos too? I am not able to google a decent statement on this.

When I create a keytab in transaction SPNego I generate keys for the following algorithms:

Does anybody know how Kerberos negotiates which algorithm to use?

SAP systems seem to prefer RC4 over AES during handshake. Commandline tool klist on my pc shows that all my Kerberos token are AES with the exception of those for SAP systems which are RC4.

Shall I remove all DES and RC4 entries for security reasons?

This would only leave AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96.

Are there any known compatibility issues when limiting Kerberos to AES?

Luckily we don't have to support any Windows XP clients anymore.

I am asking for both Kerberos based SNC for GUI and RFC-Clients as well as for SPNego in browsers for both ABAP and JAVA stack (if this makes any difference).

Thanks a lot!

Lutz

Message was edited by: Lutz Rottmann

Hi, I moved this to SAP Single Sign On while hoping to get some feedback here. Regards, Lutz