on 07-15-2014 3:15 PM
Hi Experts,
during some Secure Login Server installations we faced the issue with Kerberos Encryption Types. One customer pre-generated for us his keytab on the DC and we imported on the SLS using the SPNego configuration. The keytab issued contains AES algorithm only. SLC wasn't able to authenticate against SLS, to be clear the decryption of the ST failed. We checked on the client side using several tools and found out the ST was encrypted by the KDC using RC4-HMAC. We are using a 2008 R2 DC and Windows 8.1 Client. Customer was using 2012 R2 DC and Windows 8 PC. I did some tests and can confirm this ST is always encrypted using RC4. Most all the Ticket for other services was using AES, what i would expect in a "native" Windows 7/8 and 2008/2012 environment...
Question: is there any configuration on the SLC, on the DC etc. to enable AES encrypted ST´s ?
Thanks for your answers..
Carsten
Hello,
you must configure AES (AES 128 and/or AES 256) as only encryption algorithm on the Service User on the Domain Controller. In "Active directory useres and computers, choose the service account user, choose account tab and then account options, see the attached screen shot.
best regards
Alexander Gimbel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.