locked
Trusts and Kerberos AES Encryption RRS feed

  • Frage

  • We have Active Directory with Domain/Forest-Functionallevel "Windows Server 2008 R2". Now we have seen that there are a Option in the Trust Properties Tab called "The other domain supports Kerberos AES Encryption".

    Our question is,

    1. what are the requirements to use this option ?

    2. what impact there are (e.g. with other encryption-types), if we activate this option ?

    3. what are the steps to activate successfully this option (restart of services, reboot...) ?

    Thanks for your help.

    Donnerstag, 6. Dezember 2012 08:24

Antworten

Alle Antworten

  • The other domain supports Kerberos AES Encryption:Specifies whether the other domain in the selected trust relationship supports Kerberos AES Encryption:http://technet.microsoft.com/en-us/library/dd145414.aspx

    Windows Server 2008/Vista/win7 has some encryption algorithm improvement.In addition, Server 2008 domain functional level can also come into play as a unified way to reveal that all domain controllers in a particular domain support AES. For a single domain running at Domain Functional Level 2008 the domain object will have the ms-DS-Behavior-Version value set to reveal that domain functional level show whether every computer in the domain should be able to rely on AES encrypted tickets alone.

    Windows 7 and Server 2008 R2 machines support the AES (to be more precise, AES128_HMAC_SHA1, AES256_HMAC_SHA1) and RC4 (RC4_HMAC_MD5) Kerberos encryption types. Microsoft only added support for the AES encryption type in Server 2008, Windows Vista, and later OSs. AES is newer and a stronger encryption algorithm.

    See below link for more details

    Kerberos Enhancements:http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx

    Server 2008 and Windows Vista: Encryption Better Together
    http://blogs.technet.com/ad/archive/2007/11/02/server-2008-and-windows-vista-encryption-better-together.aspx

    User accounts are not authenticated by the domain controllers that are in the child domain if "The other domain supports Kerberos AES Encryption" check box is selected:  http://support.microsoft.com/kb/97561

    Reference link:
    http://www.windowsitpro.com/article/kerberos/q-can-the-default-encryption-types-the-kerberos-authentication-protocol-uses-in-windows-7-and-windows-server-2008-r2-cause-compatibility-problems-is-there-a-workaround-

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/da205761-4eb3-4896-a71f-7cc8512d5420/

    If the setting is enabled there is no reboot/service restart required.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Als Antwort markiert Ewoki Donnerstag, 6. Dezember 2012 09:35
    Donnerstag, 6. Dezember 2012 09:13
  • Thanks for your fast reply.

    The problem, that User accounts are not authenticated by the domain controllers that are in the child domain if "The other domain supports Kerberos AES Encryption" check box is selected, doesn't concerns our environment, because our Domain Controllers runs with Windows Server 2008 R2 SP1. SP1 includes the needed hotfix to solve this problem.

    One question only:

    Is it correct, that the trust option "The other domain supports Kerberos AES Encryption" only concerns the trust channel and -communication and has no impact to other Kerberos authentication (e.q. user authentication) ?

    Thanks for your support.

    PS. correct link to the following KB:

    User accounts are not authenticated by the domain controllers that are in the child domain if "The other domain supports Kerberos AES Encryption" check box is selected: http://support.microsoft.com/kb/975616

    Donnerstag, 6. Dezember 2012 09:34