Windows 2012 group policy defaults for encryption types

Hi guys,

I hope you are all well and can assist.

We are in the preparation phase for upgrading our windows 2003 server (domain and forest functional level) Active Directory to windows 2012 native.

We are yet to deploy our first windows 2012 domain controller, but we want to know what the default encryption type is for 2012 in terms of group policy, since it may impact our SAP infrastructure.

Any help greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Its not defined by default but DES is enabled (like it was in 2008)

Policy I'm looking at in my lab

Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options > Network Security: Configure encryption types allowed for Kerberos



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
Network security: Configure encryption types allowed for Kerberos(Content in this topic that applies specifically to Windows Server 2012 R2 Preview is preliminary and subject to change in future releases):
T MCommented:
The accepted answer in this question is NOT correct. DES encryption is not enabled by default in Server 2012 R2.

For SAP interoperability, if your SAP is deployed on Linux or Windows system, DES-only encryption is NOT required for the SAP service accounts.

Kerberos V5 (supported by all Linux and Windows) includes the RC4, AES128 and AES-256 encryption types. A keytab generated on a Windows 2012 DC for an account where DES-only is turned OFF will include all supported encryption types. Kerberos will negotiate the highest available encryption between the Windows domain and the SAP service for SSO.

Legacy SAP notes specifying DES-only configuration of Windows service accounts for SSO should be disregarded.

SPN for the SAP service (beginning with "http/" and ending with the SAP server FQDN) must be set correctly on the destination Windows account. This will change the User Principal Name for the account.

This UPN must be reproduced with the exact case for the "-princ" parameter in the KTPASS command (normally the domain part is in upper case. The user name part is whatever you set as when running SETSPN).

ktpass -princ http/sapserver.fqdn@DOMAIN.COM -mapuser domain\SAPSVC -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass * -out auth.keytab
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.