Export (0) Print
Expand All
13 out of 23 rated this helpful - Rate this topic

Changes in Kerberos Authentication

Updated: May 10, 2012

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes the cryptographic enhancements to Microsoft's implementation of Kerberos version 5 (v5) in Windows® 7 andWindows Server® 2008 R2.

Both DES cipher suites (DES-CBC-MD5 & DES-CBC-CRC) are disabled by default inWindows 7.The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2:

  • AES256-CTS-HMAC-SHA1-96

  • AES128-CTS-HMAC-SHA1-96

  • RC4-HMAC

In Windows 7 and Windows Server 2008 R2, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment.

The Network security: Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options.

In Windows 7 and Windows Server 2008 R2, Kerberos supports elliptic curve cryptography (ECC) for smart card logon that uses X.509 certificates. Although this change is not visible to end users, they will benefit from stronger cryptography for their smart card logons. There is no configuration required to obtain ECC support in Kerberos. However, your smart cards and readers must support ECC.

Forest Search Order gives you the ability to use Kerberos authentication across forest trusts using short names. Policy settings can be configured for KDC-based or Kerberos client-based searches.

For more information, see Introducing Forest Search Order.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.