Link to home
Start Free TrialLog in
Avatar of sydleg

asked on

DES encryption and Windows Server

We use Oracle Applications on our Windows network and have enabled WNA integration for Oracle/AD integration. This works well except using IE8 on Windows 7, we have to manually enter credentials to login in to the Oracle App.

Oracle posted this fix for it:
Run gpedit.msc - Expand "Local Computer Policy" > "Computer Configuration" > "Windows Settings" > "Security Settings"   > "Local Policies" > "Security Options"
Double click "Network security: Configure encryption types allowed for Kerberos" - Select "DES_CBC_MD5" and "DES_CBC_CRC"
Press "OK"


Run regedit.exe (Take a backup of the registry settings before any change)
Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SuppressExtendedProtection = REG_DWORD with a value of 3

I did this and the fix worked. However, once I have done this the Windows 7 client cannot logon to the network anymore - always bad username or password. I assume that DES authentication needs to be turned on on the AD servers. My AD servers are Win 2003 and Win 2008 (not R2). How can I solve this issue?

I am concerned about enabling this via group policy because the only time i can see the "Network security: Configure encryption types allowed for Kerberos" is via a Windows 7 computer using GPO man. When I look at the policy on 2003 or 2008 server this particular GPO setting is not present. I am scared to set it and lock out all my other clients the majority of which are Windows XP.

Avatar of Leon Fester
Leon Fester
Flag of South Africa image

Windows 7 and 2008 does not support DES by default. It uses HMAC encryption.
I've recently been working on implementing this for a client.

Here is some articles;

I'd rather look at setting up direct Active Directory authentication on the Oracle servers.
Avatar of sydleg


Thanks, but a this encryption relates to 2008 'R2' - i do not have a 2008 R@ server only 2008.

Does this mean I cannot use this see=tting on my windows 7 client if I am not running a 2008 R2 DC? And how would this affect my XP clients?
Avatar of sydleg


I looked at the article and this highlights my main point and question. The DES encryption setting is required on Win 2008 R2 version. If I look on a 2008 server non-R2 server the  configuration in GP at - Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Network security: Configure encryption types allowed for Kerberos option is not present, neither is the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters.

SO does this mean that if it is not present it should be enabled by default, as part of the Windows Server OS or is there some other way that it needs to be enabled that is different from W2K8 R2?
Avatar of sydleg

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sydleg


Because nobody on this highly average technical help website to solve the problem
Thanks for sharing the solution!
Much appreciated.