In Windows 7 and Server 2008 R2, the DES encryption types for the Kerberos authentication protocol are disabled by default.
This can cause compatibility problems if one of your legacy applications is hard-coded for only DES encryption or if the Windows account that runs a service (the service account) is configured to use only DES encryption. These services or applications will fail unless you reconfigure them to support another encryption type (RC4 or Advanced Encryption Standard, AES) or you enable DES support.
Impacted services/systems: spnego sourceforge, J2EE, java, Unix, Linux with Centrify v3.x or greater, CVS, Samba, Kerberos v5 on Linux …
typically for Centrify look the KB articles:
Out-of-the-box Windows 7 and Server 2008 R2 machines support the AES (to be more precise, AES128_HMAC_SHA1, AES256_HMAC_SHA1) and RC4 (RC4_HMAC_MD5) Kerberos encryption types. Microsoft only added support for the AES encryption type in Server 2008, Windows Vista, and later OSs. AES is newer and a stronger encryption algorithm than DES. The RC4 encryption algorithm has been supported by Windows Kerberos since the Windows 2000 release and is still supported in Windows 7 and Server 2008. The Kerberos logic on domain controllers will switch to AES encryption when you change your Active Directory (AD) domain to the Server 2008 domain functional level.
|Encryption||Key length||MS OS Supported|
|AES256-CTS-HMAC-SHA1-96||256-bit||Windows 7, Windows Server 2008 R2|
|AES128-CTS-HMAC-SHA1-96||128-bit||Windows Vista, Windows Server 2008 and later|
|RC4-HMAC||128-bit||Windows 2000 and later|
|DES-CBC-MD5||56-bit||Windows 2000 and later, off by default in Win7/R2|
|DES-CBC-CRC||56-bit||Windows 2000 and later, off by default in Win7/R2|
To check whether one of your applications or services are hard-coded to use only DES encryption, you can run a network trace when the application or service starts and check the content of the Etype fields in the Kerberos authentication headers.
To determine whether an AD user or computer account is configured for only DES encryption, you must check whether the Use Kerberos DES encryption types for this account option is set on the Account tab in the object properties (which you can access from the AD Users and Computers MMC snap-in).
If you find that you’re affected by this problem, you can enable DES encryption for Kerberos authentication on Windows 7 or Server 2008 R2 using the Group Policy Object setting Network security: Configure encryption types allowed for Kerberos located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container.
Microsoft has documented explanations and examples with workaround in this reference web article: http://support.microsoft.com/kb/977321/en-us
User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain: http://support.microsoft.com/kb/978055
=> KDC Event ID 16 or 27 is logged if DES for Kerberos is disabled:
If you conclude that you are affected by this issue and that you have to turn on the DES encryption type for Kerberos authentication, enable the following Group Policies to apply the DES encryption type to all computers that are running Windows 7 or Windows Server 2008 R2:
- In the Group Policy Management Console (GPMC), locate the following location:
Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options
- Click to select the Network security: Configure encryption types allowed for Kerberos option.
- Click to select Define these policy settings and all the six check boxes for the encryption types.
- Click OK. Close the GPMC.
Note The policy sets the SupportedEncryptionTypes registry entry to a value of 0x7FFFFFFF. The SupportedEncryptionTypesregistry entry is at the following location:
Depending on the scenario, you may have to set this policy at the domain level to apply the DES encryption type to all clients that are running Windows 7 or Windows Server 2008 R2. Or, you may have to set this policy at the organizational unit (OU) of the domain controller for the domain controllers that are running Windows Server 2008 R2.
Hunting DES on your network:
These auditing actions are part of the Account Logon category. For more details on these review these two KBs:
- Description of security events in Windows Vista and in Windows Server 2008
- Description of security events in Windows 7 and in Windows Server 2008 R2 ; Kerberos Evend IDs: 4768, 4771, 4772, 4769, 4770, 4773