DES encryption and Windows Server

sydleg
sydleg used Ask the Experts™
on
We use Oracle Applications on our Windows network and have enabled WNA integration for Oracle/AD integration. This works well except using IE8 on Windows 7, we have to manually enter credentials to login in to the Oracle App.

Oracle posted this fix for it:
Run gpedit.msc - Expand "Local Computer Policy" > "Computer Configuration" > "Windows Settings" > "Security Settings"   > "Local Policies" > "Security Options"
Double click "Network security: Configure encryption types allowed for Kerberos" - Select "DES_CBC_MD5" and "DES_CBC_CRC"
Press "OK"

and

Run regedit.exe (Take a backup of the registry settings before any change)
Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SuppressExtendedProtection = REG_DWORD with a value of 3

I did this and the fix worked. However, once I have done this the Windows 7 client cannot logon to the network anymore - always bad username or password. I assume that DES authentication needs to be turned on on the AD servers. My AD servers are Win 2003 and Win 2008 (not R2). How can I solve this issue?

I am concerned about enabling this via group policy because the only time i can see the "Network security: Configure encryption types allowed for Kerberos" is via a Windows 7 computer using GPO man. When I look at the policy on 2003 or 2008 server this particular GPO setting is not present. I am scared to set it and lock out all my other clients the majority of which are Windows XP.

Help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Leon FesterSenior Solutions Architect

Commented:
Windows 7 and 2008 does not support DES by default. It uses HMAC encryption.
I've recently been working on implementing this for a client.

Here is some articles;
http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
http://support.microsoft.com/kb/977321
http://www.faqs.org/rfcs/rfc4757.html

I'd rather look at setting up direct Active Directory authentication on the Oracle servers.
http://download.oracle.com/docs/cd/E19351-01/821-1926/z40000dd1295358.html
http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/e12023/ad_integ.htm
http://www.dbforums.com/oracle/1614856-configuring-oracle-authenticate-users-active-directory.html

Author

Commented:
Thanks, but a this encryption relates to 2008 'R2' - i do not have a 2008 R@ server only 2008.

Does this mean I cannot use this see=tting on my windows 7 client if I am not running a 2008 R2 DC? And how would this affect my XP clients?

Author

Commented:
I looked at the article http://support.microsoft.com/kb/977321 and this highlights my main point and question. The DES encryption setting is required on Win 2008 R2 version. If I look on a 2008 server non-R2 server the  configuration in GP at - Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Network security: Configure encryption types allowed for Kerberos option is not present, neither is the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters.

SO does this mean that if it is not present it should be enabled by default, as part of the Windows Server OS or is there some other way that it needs to be enabled that is different from W2K8 R2?
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Commented:
I eventually had to log a Microsoft issue as this website is for from an 'EXPERTS EXCHANGE'. Here it is:

This article http://support.microsoft.com/kb/977321 differs from the Oracle instruction and tells us to check all 6 encryption methods as opposed to just the 2.

This fixes the issue.

Author

Commented:
Because nobody on this highly average technical help website to solve the problem
Leon FesterSenior Solutions Architect

Commented:
Thanks for sharing the solution!
Much appreciated.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial