AD DS: User accounts and trusts in this domain should not be configured for DES only
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2008 R2 Windows Server 2012 |
Product/Feature |
Active Directory Domain Services (AD DS) |
Severity |
Error |
Category |
Configuration |
Issue
A user account or trust for this domain is configured for Data Encryption Standard (DES) only. DES is considered weak cryptography and is no longer enabled by default in Kerberos authentication in Windows 7 and Windows Server 2008 R2.
At one time the user account or trust was running on an operating system, Java platform, or Kerberos version that did not support RC4. Therefore, the account was changed to support DES only. This also applies to trusts with older, non-Windows Kerberos realms. Even if the operating system or platform was upgraded to support RC4 or Advanced Encryption Standard (AES), the account does not update automatically and is still using only DES.
Another possible issue is that an application could have hard-coded Kerberos encryption types.
Impact
User accounts and trusts configured for DES only will have authentication failures.
Resolution
User accounts and trusts should use Advanced Encryption Standard (AES) or RC4 Kerberos encryption keys.
Removing the encryption type that a service account supports can break a client application that uses the account. Test any potential changes you might have to make before you apply the following guidance.
If the computer that hosts the account is running a recent version of a non-Windows operating system or Java platform, removing the DES-only property from the user account allows other encryption types to be used. If the account was created before the domain functional level was Windows Server 2008, two things must be done to support AES:
Change the service account password to create an AES key.
Set AES 128-bit and 256-bit encryption support for the service account.
If the computer is running an old, non-Windows operating system or Java platform, determine whether at least RC4 is supported. Most Kerberos platforms have supported RC4 for several years.
If RC4 is supported, remove the DES-only property from the account to allow RC4 to be used.
If RC4 or AES is not supported, consider upgrading to a recent version of the platform.
If an upgrade is not available, contact the Kerberos platform vendor to ask if alternatives with stronger cryptography are possible.
If you must enable DES, enable DES on all client computers, the service's computer, and all domain controllers in the service account's domain. After the Kerberos platform is upgraded to a version that supports RC4 or AES, disable DES on the on all client computers, the service's computer, and all domain controllers in the service account's domain.
If the application or service has a hard-coded DES Kerberos encryption type:
Contact the application or service vendor to determine whether newer versions of the product support RC4 or AES.
If an upgrade is not available, ask if alternatives with stronger cryptography are possible.
If you must enable DES, enable DES on all client computers, the service account's computer, and all domain controllers in the service account's domain. After the application or service is upgraded to a version that supports RC4 or AES, disable DES on all client computers, the service's computer, and all domain controllers in the service account's domain.
Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To remove the DES-only property from a user account
Log on to an administrative workstation that has Active Directory Domain Services Tools installed. Active Directory Domain Services Tools are installed by default on domain controllers and they are also included with the Remote Server Administration Tools. For more information about how to obtain Remote Server Administration Tools, see Additional references.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Navigate to the organizational unit (OU) where the user account is stored. By default, user accounts are created in the Users container.
Right-click the user account, and then click Properties.
Select the Account tab.
Clear the Use Kerberos DES encryption types for this account check box.
Click OK.
Close Active Directory Users and Computers.
To upgrade the DES-only trust
Check if at least RC4 is supported on the trusted third party realm. Most Kerberos platforms have supported RC4 for several years.
If RC4 is supported, type the following command to enable it:
ksetup /addrealmflags [MIT_REALM] RC4
If AES is also supported, type the following command to enable it:
ksetup.exe /SetEncTypeAttr [MIT_REALM] AES256-CTS-HMAC-SHA1-96
If RC4 or AES is not supported, consider upgrading to a recent version of the platform.
If an upgrade is not available, contact the Kerberos platform vendor to see if alternatives with stronger cryptography are possible.
To remove the DES-only trust if it is no longer needed:
netdom trust [YOUR_DOMAIN_NAME] /domain [MIT_REALM] /remove /force
Additional references
Article 977321 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=177717)
Remote Server Administration Tools for Windows 7 (https://go.microsoft.com/fwlink/?LinkID=153874)
Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=116179)