We are migrating to Windows 2008 R2 our DCs. We have been checking the compatibility of our business applications and we have found that one of our vendors is requesting us that the‘Use DES encryption’ box is checked for all users that use the application.
According to the article below the following needs to be done:
-DES encryption is doesn't even come with Windows 2008 anymore and a hotfix needs to be installed in order to bring this to the OS (KB978055)
-Our clients are Windows XP and I understand from the article that nothing needs to be done on the client since unless the clients are Windows7/Vista or Windows 2008.
From what I am understanding overall for a Windows 2008R2 DCs / Windows XP clients this is what needs to be done:
1.) Install KB978055 on the DCs
2.) At the AD user account level enable "Use DES encryption type for this account"
3.) Nothing has to be done at the client level since the clients are XP and are compatible with DES.
I was wondering if someone has done something similar in a production env. before in order to enable authentication for legacy applications through this method? Could you please let me know if there are any other steps that we need to take in consideration?
I am understanding that installing KB978055 will not change the type of authentication for ALL the domain users, instead DES will be used only for those that have enabled the "Use DES encryption type for this account" and the AD account level. Is that correct?
Finally we will be migrating the clients soon to Windows 7 can you please let me know what needs to be done on the client side?
If you have applications that cannot get rid of DES, you can look at the steps required to enable DES support on the OS. There are two parts to this. First you will need to patch your 2008 domain controllers with KB978055. This gives the DC the ability to issue DES tickets. If your clients are windows 7 or 2008R2 server themselves, they will need to have some configuration changes. This can be done by a registry fix, or pushed by group policy. Refer to this article for that. When changing the client settings, be careful that you allow all of the required encryption types. If you use a GPO to turn on DES, and don't specify anything else, your machine will only use DES.