Changes in Kerberos Authentication
Updated: May 10, 2012
Applies To: Windows 7, Windows Server 2008 R2
This product evaluation topic for the IT professional describes the cryptographic enhancements to Microsoft's implementation of Kerberos version 5 (v5) in Windows® 7 andWindows Server® 2008 R2.
Both DES cipher suites (DES-CBC-MD5 & DES-CBC-CRC) are disabled by default inWindows 7.The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2:
In Windows 7 and Windows Server 2008 R2, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment.
The Network security: Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options.
In Windows 7 and Windows Server 2008 R2, Kerberos supports elliptic curve cryptography (ECC) for smart card logon that uses X.509 certificates. Although this change is not visible to end users, they will benefit from stronger cryptography for their smart card logons. There is no configuration required to obtain ECC support in Kerberos. However, your smart cards and readers must support ECC.