Exporter (0) Imprimer
Développer tout
Développer Réduire

AD DS: User accounts and trusts in this domain should not be configured for DES only

Mis à jour: avril 2010

S'applique à: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Error

Category

Configuration

Issue

A user account or trust for this domain is configured for Data Encryption Standard (DES) only. DES is considered weak cryptography and is no longer enabled by default in Kerberos authentication in Windows 7 and Windows Server 2008 R2.

At one time the user account or trust was running on an operating system, Java platform, or Kerberos version that did not support RC4. Therefore, the account was changed to support DES only. This also applies to trusts with older, non-Windows Kerberos realms. Even if the operating system or platform was upgraded to support RC4 or Advanced Encryption Standard (AES), the account does not update automatically and is still using only DES.

Another possible issue is that an application could have hard-coded Kerberos encryption types.

Impact

User accounts and trusts configured for DES only will have authentication failures.

Resolution

User accounts and trusts should use Advanced Encryption Standard (AES) or RC4 Kerberos encryption keys.

Removing the encryption type that a service account supports can break a client application that uses the account. Test any potential changes you might have to make before you apply the following guidance.

If the computer that hosts the account is running a recent version of a non-Windows operating system or Java platform, removing the DES-only property from the user account allows other encryption types to be used. If the account was created before the domain functional level was Windows Server 2008, two things must be done to support AES:

  • Change the service account password to create an AES key.

  • Set AES 128-bit and 256-bit encryption support for the service account.

If the computer is running an old, non-Windows operating system or Java platform, determine whether at least RC4 is supported. Most Kerberos platforms have supported RC4 for several years.

  • If RC4 is supported, remove the DES-only property from the account to allow RC4 to be used.

  • If RC4 or AES is not supported, consider upgrading to a recent version of the platform.

  • If an upgrade is not available, contact the Kerberos platform vendor to ask if alternatives with stronger cryptography are possible.

  • If you must enable DES, enable DES on all client computers, the service's computer, and all domain controllers in the service account's domain. After the Kerberos platform is upgraded to a version that supports RC4 or AES, disable DES on the on all client computers, the service's computer, and all domain controllers in the service account's domain.

If the application or service has a hard-coded DES Kerberos encryption type:

  • Contact the application or service vendor to determine whether newer versions of the product support RC4 or AES.

  • If an upgrade is not available, ask if alternatives with stronger cryptography are possible.

  • If you must enable DES, enable DES on all client computers, the service account's computer, and all domain controllers in the service account's domain. After the application or service is upgraded to a version that supports RC4 or AES, disable DES on all client computers, the service's computer, and all domain controllers in the service account's domain.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Consultez les informations détaillées sur l'utilisation des comptes et des appartenances aux groupes appropriés sur le site Web suivant : Groupes locaux et de domaine par défaut(http://go.microsoft.com/fwlink/?LinkId=83477).

To remove the DES-only property from a user account

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed. Active Directory Domain Services Tools are installed by default on domain controllers and they are also included with the Remote Server Administration Tools. For more information about how to obtain Remote Server Administration Tools, see Additional references.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Navigate to the organizational unit (OU) where the user account is stored. By default, user accounts are created in the Users container.

  4. Right-click the user account, and then click Properties.

  5. Select the Account tab.

  6. Clear the Use Kerberos DES encryption types for this account check box.

  7. Click OK.

  8. Close Active Directory Users and Computers.

To upgrade the DES-only trust

  • Check if at least RC4 is supported on the trusted third party realm. Most Kerberos platforms have supported RC4 for several years.

    • If RC4 is supported, type the following command to enable it:

      ksetup /addrealmflags [MIT_REALM] RC4

    • If AES is also supported, type the following command to enable it:

      ksetup.exe /SetEncTypeAttr [MIT_REALM] AES256-CTS-HMAC-SHA1-96

  • If RC4 or AES is not supported, consider upgrading to a recent version of the platform.

    If an upgrade is not available, contact the Kerberos platform vendor to see if alternatives with stronger cryptography are possible.

  • To remove the DES-only trust if it is no longer needed:

    netdom trust [YOUR_DOMAIN_NAME] /domain [MIT_REALM] /remove /force

Additional references

Article 977321 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=177717)

Remote Server Administration Tools for Windows 7 (http://go.microsoft.com/fwlink/?LinkID=153874)

Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=116179)

Cela vous a-t-il été utile ?
(1500 caractères restants)
Merci pour vos suggestions.

Ajouts de la communauté

AJOUTER
Microsoft réalise une enquête en ligne pour recueillir votre opinion sur le site Web de MSDN. Si vous choisissez d’y participer, cette enquête en ligne vous sera présentée lorsque vous quitterez le site Web de MSDN.

Si vous souhaitez y participer,
Afficher:
© 2014 Microsoft