cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Service Tickets requested from Secure Login Client are always encrypted with RC4-HMAC?

Go to solution
Former Member

on ‎07-15-2014 3:15 PM

0 Kudos

Hi Experts,

during some Secure Login Server installations we faced the issue with Kerberos Encryption Types. One customer pre-generated for us his keytab on the DC and we imported on the SLS using the SPNego configuration. The keytab issued contains AES algorithm only. SLC wasn't able to authenticate against SLS, to be clear the decryption of the ST failed. We checked on the client side using several tools and found out the ST was encrypted by the KDC using RC4-HMAC. We are using a 2008 R2 DC and Windows 8.1 Client. Customer was using 2012 R2 DC and Windows 8 PC. I did some tests and can confirm this ST is always encrypted using RC4. Most all the Ticket for other services was using AES, what i would expect in a "native" Windows 7/8 and 2008/2012 environment...

Question: is there any configuration on the SLC, on the DC etc. to enable AES encrypted ST´s ?

Thanks for your answers..

Carsten

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-16-2014 7:07 AM
0 Kudos

Hello,

you must configure AES (AES 128 and/or AES 256) as only encryption algorithm on the Service User on the Domain Controller. In "Active directory useres and computers, choose the service account user, choose account tab and then account options, see the attached screen shot.


 
best regards

Alexander Gimbel

Show replies
Show replies
Former Member
‎07-16-2014 8:30 AM
0 Kudos

Hi Alexander,

thanks, that works! Added to my best practices

Regards,
Carsten

Answers (0)

Ask a Question