sydleg
asked on
DES encryption and Windows Server
We use Oracle Applications on our Windows network and have enabled WNA integration for Oracle/AD integration. This works well except using IE8 on Windows 7, we have to manually enter credentials to login in to the Oracle App.
Oracle posted this fix for it:
Run gpedit.msc - Expand "Local Computer Policy" > "Computer Configuration" > "Windows Settings" > "Security Settings" > "Local Policies" > "Security Options"
Double click "Network security: Configure encryption types allowed for Kerberos" - Select "DES_CBC_MD5" and "DES_CBC_CRC"
Press "OK"
and
Run regedit.exe (Take a backup of the registry settings before any change)
Change HKEY_LOCAL_MACHINE\SYSTEM\
I did this and the fix worked. However, once I have done this the Windows 7 client cannot logon to the network anymore - always bad username or password. I assume that DES authentication needs to be turned on on the AD servers. My AD servers are Win 2003 and Win 2008 (not R2). How can I solve this issue?
I am concerned about enabling this via group policy because the only time i can see the "Network security: Configure encryption types allowed for Kerberos" is via a Windows 7 computer using GPO man. When I look at the policy on 2003 or 2008 server this particular GPO setting is not present. I am scared to set it and lock out all my other clients the majority of which are Windows XP.
Help.
Oracle posted this fix for it:
Run gpedit.msc - Expand "Local Computer Policy" > "Computer Configuration" > "Windows Settings" > "Security Settings" > "Local Policies" > "Security Options"
Double click "Network security: Configure encryption types allowed for Kerberos" - Select "DES_CBC_MD5" and "DES_CBC_CRC"
Press "OK"
and
Run regedit.exe (Take a backup of the registry settings before any change)
Change HKEY_LOCAL_MACHINE\SYSTEM\
I did this and the fix worked. However, once I have done this the Windows 7 client cannot logon to the network anymore - always bad username or password. I assume that DES authentication needs to be turned on on the AD servers. My AD servers are Win 2003 and Win 2008 (not R2). How can I solve this issue?
I am concerned about enabling this via group policy because the only time i can see the "Network security: Configure encryption types allowed for Kerberos" is via a Windows 7 computer using GPO man. When I look at the policy on 2003 or 2008 server this particular GPO setting is not present. I am scared to set it and lock out all my other clients the majority of which are Windows XP.
Help.
ASKER
Thanks, but a this encryption relates to 2008 'R2' - i do not have a 2008 R@ server only 2008.
Does this mean I cannot use this see=tting on my windows 7 client if I am not running a 2008 R2 DC? And how would this affect my XP clients?
Does this mean I cannot use this see=tting on my windows 7 client if I am not running a 2008 R2 DC? And how would this affect my XP clients?
ASKER
I looked at the article http://support.microsoft.com/kb/977321 and this highlights my main point and question. The DES encryption setting is required on Win 2008 R2 version. If I look on a 2008 server non-R2 server the configuration in GP at - Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Network security: Configure encryption types allowed for Kerberos option is not present, neither is the registry key HKLM\Software\Microsoft\Wi
SO does this mean that if it is not present it should be enabled by default, as part of the Windows Server OS or is there some other way that it needs to be enabled that is different from W2K8 R2?
SO does this mean that if it is not present it should be enabled by default, as part of the Windows Server OS or is there some other way that it needs to be enabled that is different from W2K8 R2?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Because nobody on this highly average technical help website to solve the problem
Thanks for sharing the solution!
Much appreciated.
Much appreciated.
I've recently been working on implementing this for a client.
Here is some articles;
http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
http://support.microsoft.com/kb/977321
http://www.faqs.org/rfcs/rfc4757.html
I'd rather look at setting up direct Active Directory authentication on the Oracle servers.
http://download.oracle.com/docs/cd/E19351-01/821-1926/z40000dd1295358.html
http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/e12023/ad_integ.htm
http://www.dbforums.com/oracle/1614856-configuring-oracle-authenticate-users-active-directory.html