Windows 2008R2 DC's - Enable Use DES encryption for legacy applications

Posted on 2011-04-27
Last Modified: 2012-05-11

We are migrating to Windows 2008 R2 our DCs. We have been checking the compatibility of our business applications and we have found that one of our vendors is requesting us that the‘Use DES encryption’ box is checked for all users that use the application.

According to the article below the following needs to be done:

-DES encryption is doesn't even come with Windows 2008 anymore and a hotfix needs to be installed in order to bring this to the OS (KB978055)
-Our clients are Windows XP and I understand from the article that nothing needs to be done on the client since unless the clients are Windows7/Vista or Windows 2008.

From what I am understanding overall for a Windows 2008R2 DCs / Windows XP clients this is what needs to be done:

1.) Install KB978055 on the DCs
2.) At the AD user account level enable "Use DES encryption type for this account"
3.) Nothing has to be done at the client level since the clients are XP and are compatible with DES.

I was wondering if someone has done something similar in a production env. before in order to enable authentication for legacy applications through this method? Could you please let me know if there are any other steps that we need to take in consideration?

I am understanding that installing KB978055 will not change the type of authentication for ALL the domain users, instead DES will be used only for those that have enabled the "Use DES encryption type for this account" and the AD account level. Is that correct?

Finally we will be migrating the clients soon to Windows 7 can you please let me know what needs to be done on the client side?  

Thank you.

If you have applications that cannot get rid of DES, you can look at the steps required to enable DES support on the OS. There are two parts to this. First you will need to patch your 2008 domain controllers with KB978055. This gives the DC the ability to issue DES tickets. If your clients are windows 7 or 2008R2 server themselves, they will need to have some configuration changes. This can be done by a registry fix, or pushed by group policy. Refer to this article for that. When changing the client settings, be careful that you allow all of the required encryption types. If you use a GPO to turn on DES, and don't specify anything else, your machine will only use DES.
Question by:llarava
    LVL 12

    Expert Comment

    We ran into a similar issue. The thing, is DES encryption is already available to 2008 R2, but it is disabled. You have to enable it through group policy.

    Log in to one of the new domain controllers.
    From command prompt, enter rsop.msc. This will bring up the resultant set of policy screen. This will show what policies are applied to the domain controller. You want to browse through them to the following path:
    Computer Configuration, Windows Settings, Local Policies, Security Options

    From there, find the one called "Network security: Configure encryption types allowed for Kerberos"

    If the policy is applied, it should tell you in the Source GPO column which policy it is applied from. If it is disabled, you will need to go to whichever policy applies to your domain controllers and enable it. You will want to check all four of the encryption methods.

    This will enable DES authentication without removing the other forms. Your users will continue to authenticate at the highest level available to them. If the application requires DES, it will allow it. If it doesn't, it will use the proper one.

    Hope this helps.
    LVL 12

    Accepted Solution

    Here is a screenshot of what the policy setting will look like:

    LVL 12

    Expert Comment

    I meant to say you will want to check all SIX of the authentication methods. Fingers are working faster than the brain today. And you will need to change this using Group Policy Management under Administrative tools.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
    The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now