Windows 2012 group policy defaults for encryption types

Hi guys,

I hope you are all well and can assist.

We are in the preparation phase for upgrading our windows 2003 server (domain and forest functional level) Active Directory to windows 2012 native.

We are yet to deploy our first windows 2012 domain controller, but we want to know what the default encryption type is for 2012 in terms of group policy, since it may impact our SAP infrastructure.

Any help greatly appreciated.
Who is Participating?
Mike KlineConnect With a Mentor Commented:
Its not defined by default but DES is enabled (like it was in 2008)

Policy I'm looking at in my lab

Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options > Network Security: Configure encryption types allowed for Kerberos


SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
Network security: Configure encryption types allowed for Kerberos(Content in this topic that applies specifically to Windows Server 2012 R2 Preview is preliminary and subject to change in future releases):
T MCommented:
The accepted answer in this question is NOT correct. DES encryption is not enabled by default in Server 2012 R2.

For SAP interoperability, if your SAP is deployed on Linux or Windows system, DES-only encryption is NOT required for the SAP service accounts.

Kerberos V5 (supported by all Linux and Windows) includes the RC4, AES128 and AES-256 encryption types. A keytab generated on a Windows 2012 DC for an account where DES-only is turned OFF will include all supported encryption types. Kerberos will negotiate the highest available encryption between the Windows domain and the SAP service for SSO.

Legacy SAP notes specifying DES-only configuration of Windows service accounts for SSO should be disregarded.

SPN for the SAP service (beginning with "http/" and ending with the SAP server FQDN) must be set correctly on the destination Windows account. This will change the User Principal Name for the account.

This UPN must be reproduced with the exact case for the "-princ" parameter in the KTPASS command (normally the domain part is in upper case. The user name part is whatever you set as when running SETSPN).

ktpass -princ http/sapserver.fqdn@DOMAIN.COM -mapuser domain\SAPSVC -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass * -out auth.keytab
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.