[ethomson]

I suspect that I'm going to get out of my depth very quickly here, but I'm not sure what the gratuitous breaking change is that you're speaking of; relatively recent MIT or Heimdal krb5 implementations can interop with Active Directory with no problem that I'm aware of.

Some older implementations were lacking ciphers that Active Directory required. If this is what you're speaking of then I wouldn't classify it as a "breaking change", since cipher negotiation is meant to be - well - negotiated. Its gratuitousness may be more in question, but I'm certain it was for backward compatibility with NT Lan Manager password schemes. (Alas.)

[gchpaco]

From http://www.h5l.org/manual/HEAD/info/heimdal/Authorisation-da...:

  The Windows 2000 KDC also adds extra authorisation data in tickets. It is at this point unclear what triggers it to do this. The format of this data is only available under a “secret” license from Microsoft, which prohibits you implementing it.

This makes/made? it difficult to have a Windows domain authenticate against an existing KDC; you needed to set up an AD server and then set up cross-domain trust relationships, which means you must have a Windows server on your network in order to support Windows AD clients.

[ethomson]

Very interesting. I had a similar setup in a previous life without any issues, but the "it is at this point unclear what triggers it to do this" is ominous indeed, so it's possible I just went down the happy path where this sort of issue doesn't come up.