Windows 2008R2 DC's - Enable Use DES encryption for legacy applications
Hi,
We are migrating to Windows 2008 R2 our DCs. We have been checking the compatibility of our business applications and we have found that one of our vendors is requesting us that the‘Use DES encryption’ box is checked for all users that use the application.
According to the article below the following needs to be done:
-DES encryption is doesn't even come with Windows 2008 anymore and a hotfix needs to be installed in order to bring this to the OS (KB978055)
-Our clients are Windows XP and I understand from the article that nothing needs to be done on the client since unless the clients are Windows7/Vista or Windows 2008.
From what I am understanding overall for a Windows 2008R2 DCs / Windows XP clients this is what needs to be done:
1.) Install KB978055 on the DCs
2.) At the AD user account level enable "Use DES encryption type for this account"
3.) Nothing has to be done at the client level since the clients are XP and are compatible with DES.
I was wondering if someone has done something similar in a production env. before in order to enable authentication for legacy applications through this method? Could you please let me know if there are any other steps that we need to take in consideration?
I am understanding that installing KB978055 will not change the type of authentication for ALL the domain users, instead DES will be used only for those that have enabled the "Use DES encryption type for this account" and the AD account level. Is that correct?
Finally we will be migrating the clients soon to Windows 7 can you please let me know what needs to be done on the client side?
Thank you.
--------------------------
If you have applications that cannot get rid of DES, you can look at the steps required to enable DES support on the OS. There are two parts to this. First you will need to patch your 2008 domain controllers with KB978055. This gives the DC the ability to issue DES tickets. If your clients are windows 7 or 2008R2 server themselves, they will need to have some configuration changes. This can be done by a registry fix, or pushed by group policy. Refer to this article for that. When changing the client settings, be careful that you allow all of the required encryption types. If you use a GPO to turn on DES, and don't specify anything else, your machine will only use DES.
http://myitpath.blogspot.com/2011/01/des-encryption-kerberos-and-2008-server.html
We are migrating to Windows 2008 R2 our DCs. We have been checking the compatibility of our business applications and we have found that one of our vendors is requesting us that the‘Use DES encryption’ box is checked for all users that use the application.
According to the article below the following needs to be done:
-DES encryption is doesn't even come with Windows 2008 anymore and a hotfix needs to be installed in order to bring this to the OS (KB978055)
-Our clients are Windows XP and I understand from the article that nothing needs to be done on the client since unless the clients are Windows7/Vista or Windows 2008.
From what I am understanding overall for a Windows 2008R2 DCs / Windows XP clients this is what needs to be done:
1.) Install KB978055 on the DCs
2.) At the AD user account level enable "Use DES encryption type for this account"
3.) Nothing has to be done at the client level since the clients are XP and are compatible with DES.
I was wondering if someone has done something similar in a production env. before in order to enable authentication for legacy applications through this method? Could you please let me know if there are any other steps that we need to take in consideration?
I am understanding that installing KB978055 will not change the type of authentication for ALL the domain users, instead DES will be used only for those that have enabled the "Use DES encryption type for this account" and the AD account level. Is that correct?
Finally we will be migrating the clients soon to Windows 7 can you please let me know what needs to be done on the client side?
Thank you.
--------------------------
If you have applications that cannot get rid of DES, you can look at the steps required to enable DES support on the OS. There are two parts to this. First you will need to patch your 2008 domain controllers with KB978055. This gives the DC the ability to issue DES tickets. If your clients are windows 7 or 2008R2 server themselves, they will need to have some configuration changes. This can be done by a registry fix, or pushed by group policy. Refer to this article for that. When changing the client settings, be careful that you allow all of the required encryption types. If you use a GPO to turn on DES, and don't specify anything else, your machine will only use DES.
http://myitpath.blogspot.com/2011/01/des-encryption-kerberos-and-2008-server.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I meant to say you will want to check all SIX of the authentication methods. Fingers are working faster than the brain today. And you will need to change this using Group Policy Management under Administrative tools.
Log in to one of the new domain controllers.
From command prompt, enter rsop.msc. This will bring up the resultant set of policy screen. This will show what policies are applied to the domain controller. You want to browse through them to the following path:
Computer Configuration, Windows Settings, Local Policies, Security Options
From there, find the one called "Network security: Configure encryption types allowed for Kerberos"
If the policy is applied, it should tell you in the Source GPO column which policy it is applied from. If it is disabled, you will need to go to whichever policy applies to your domain controllers and enable it. You will want to check all four of the encryption methods.
This will enable DES authentication without removing the other forms. Your users will continue to authenticate at the highest level available to them. If the application requires DES, it will allow it. If it doesn't, it will use the proper one.
Hope this helps.