Heads Up! Additional Configuration Required for Windows 7/Windows Server 2008 R2
July 14, 2010 Patrick Botz
If you have a Windows 7 workstation or you are running Windows Server 2008 R2, there is an extra configuration step to enable Kerberos authentication with i5/OS. In these releases, Microsoft no longer enables the DES cipher suites (DES-CBC-MD5 and DES-CBC-CRC) for Kerberos by default. Unfortunately, Kerberos on i5/OS does not support the new default suites used by Microsoft.
A few details about the Kerberos protocol will explain why this change requires additional configuration. The Kerberos protocol negotiates the cipher suites used to build Kerberos tickets. When a client requests a Kerberos ticket, it includes a list of cipher suites