Changes in Kerberos Authentication

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes the cryptographic enhancements to Microsoft's implementation of Kerberos version 5 (v5) in Windows® 7 andWindows Server® 2008 R2.

DES not enabled by default in Windows 7 and Windows Server 2008 R2

Both DES cipher suites (DES-CBC-MD5 & DES-CBC-CRC) are disabled by default inWindows 7.The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2:

  • AES256-CTS-HMAC-SHA1-96

  • AES128-CTS-HMAC-SHA1-96

  • RC4-HMAC

Enabling DES encryption types for Kerberos

In Windows 7 and Windows Server 2008 R2, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment.

The Network security: Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options.

ECC support in Kerberos for smart card logon

In Windows 7 and Windows Server 2008 R2, Kerberos supports elliptic curve cryptography (ECC) for smart card logon that uses X.509 certificates. Although this change is not visible to end users, they will benefit from stronger cryptography for their smart card logons. There is no configuration required to obtain ECC support in Kerberos. However, your smart cards and readers must support ECC.

Forest Search Order

Forest Search Order gives you the ability to use Kerberos authentication across forest trusts using short names. Policy settings can be configured for KDC-based or Kerberos client-based searches.

For more information, see Introducing Forest Search Order.