Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Client TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows 7
 Changes in Kerberos Authentication
Changes in Kerberos Authentication

Updated: October 21, 2009

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes the cryptographic enhancements to Microsoft's implementation of Kerberos version 5 (v5) in Windows® 7 andWindows Server® 2008 R2.

DES not enabled by default in Windows 7 and Windows Server 2008 R2

Both DES cipher suites (DES-CBC-MD5 & DES-CBC-CRC) are disabled by default inWindows 7.The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2:

  • AES256-CTS-HMAC-SHA1-96

  • AES128-CTS-HMAC-SHA1-96

  • RC4-HMAC

Enabling DES encryption types for Kerberos

In Windows 7 and Windows Server 2008 R2, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment.

The Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options.

ECC support in Kerberos for smart card logon

In Windows 7 and Windows Server 2008 R2, Kerberos supports elliptic curve cryptography (ECC) for smart card logon that uses X.509 certificates. Although this change is not visible to end users, they will benefit from stronger cryptography for their smart card logons. There is no configuration required to obtain ECC support in Kerberos. However, your smart cards and readers must support ECC.

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Explain how to change this      Ofer Gal ... kmrweb   |   Edit   |   Show History
Where is "Computer Configuration\Security Settings\Local Policies\Security Options." ?

As an administrator you can run 'gpedit.msc' get here.
(see policy "Network security: Configure encryption types allowed for Kerberos" once open)
Tags What's this?: 2008 (x) and (x) contentbug (x) controller. (x) do (x) domain (x) followed (x) gpedit.msc (x) i (x) i've (x) not (x) on (x) our (x) path. (x) policy (x) r2 (x) run (x) see (x) that (x) the (x) windows (x) Add a tag
Policy not on DC      kmrweb   |   Edit   |   Show History
I've run gpedit.msc and followed the path. I do not see that policy on our Windows 2008 R2 domain controller
Tags What's this?: Add a tag
Flag as ContentBug
Mistake on this Site      Phil Greenway   |   Edit   |   Show History
Yeh it's a mistake ... it should be

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\

My problem is that 2008 doesn't have this option, so how do I add it ?
More explicit instructions      freyman8080   |   Edit   |   Show History
Run gpedit.msc
Expand “Local Computer Policy” > “Computer Configuration” > “Windows Settings” > “Security Settings” > “Local Policies” > “Security Options” > “Network security: Configure encryption types allowed for Kerberos”
Double click “Network security: Configure encryption types allowed for Kerberos”
Select “DES_CBC_MDC” and “RC4_HMAC_MD5”
Press “OK”
File menu
Exit

Tags What's this?: Add a tag
Flag as ContentBug
© 2010 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker