DES encryption and Windows Server

sydleg used Ask the Experts™
We use Oracle Applications on our Windows network and have enabled WNA integration for Oracle/AD integration. This works well except using IE8 on Windows 7, we have to manually enter credentials to login in to the Oracle App.

Oracle posted this fix for it:
Run gpedit.msc - Expand "Local Computer Policy" > "Computer Configuration" > "Windows Settings" > "Security Settings"   > "Local Policies" > "Security Options"
Double click "Network security: Configure encryption types allowed for Kerberos" - Select "DES_CBC_MD5" and "DES_CBC_CRC"
Press "OK"


Run regedit.exe (Take a backup of the registry settings before any change)
Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SuppressExtendedProtection = REG_DWORD with a value of 3

I did this and the fix worked. However, once I have done this the Windows 7 client cannot logon to the network anymore - always bad username or password. I assume that DES authentication needs to be turned on on the AD servers. My AD servers are Win 2003 and Win 2008 (not R2). How can I solve this issue?

I am concerned about enabling this via group policy because the only time i can see the "Network security: Configure encryption types allowed for Kerberos" is via a Windows 7 computer using GPO man. When I look at the policy on 2003 or 2008 server this particular GPO setting is not present. I am scared to set it and lock out all my other clients the majority of which are Windows XP.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Leon FesterSenior Solutions Architect

Windows 7 and 2008 does not support DES by default. It uses HMAC encryption.
I've recently been working on implementing this for a client.

Here is some articles;

I'd rather look at setting up direct Active Directory authentication on the Oracle servers.


Thanks, but a this encryption relates to 2008 'R2' - i do not have a 2008 R@ server only 2008.

Does this mean I cannot use this see=tting on my windows 7 client if I am not running a 2008 R2 DC? And how would this affect my XP clients?


I looked at the article and this highlights my main point and question. The DES encryption setting is required on Win 2008 R2 version. If I look on a 2008 server non-R2 server the  configuration in GP at - Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Network security: Configure encryption types allowed for Kerberos option is not present, neither is the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters.

SO does this mean that if it is not present it should be enabled by default, as part of the Windows Server OS or is there some other way that it needs to be enabled that is different from W2K8 R2?
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

I eventually had to log a Microsoft issue as this website is for from an 'EXPERTS EXCHANGE'. Here it is:

This article differs from the Oracle instruction and tells us to check all 6 encryption methods as opposed to just the 2.

This fixes the issue.


Because nobody on this highly average technical help website to solve the problem
Leon FesterSenior Solutions Architect

Thanks for sharing the solution!
Much appreciated.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial