none
SQL Server Management Studio 2014 without "RC4_HMAC_MD5" RRS feed

  • Question

  • Hello everyone,

    we're trying to implement an actualized security setting on some of our windows systems, which includes removing the "RC4_HMAC_MD5" encryption type from the policy "Network Security: Configure encryption types allowed for kerberos".

    Now we have a customer which cannot connect anymore on his SQL Instances with SQL Server Management Studio 2014.

    Is there a way to configure the SQL Server Management Studio or the source system which uses this tool to connect to the SQL Server instance (or the target system hosting the SQL Instance) that RC4 is not used anymore and instead a newer encryption type like AES is being used?

    Thanks,

    Ville

    Tuesday, March 13, 2018 6:30 AM

All replies

  • some more details:

    The message we get when trying to connect is "The target principal name is incorrect. Cannot generate SSPI context".

    There is actually a lot of documentation about this message, that's why I did some additional SPN/Kerberos checks.

    We realized that the Kerberos ticket (checked with "klist") for the MSSQLSvc is based on RC4:
    KerbTicket Encrpytion Type: RSADSI RC4-HMAC(NT)
    Session Key Type: RSADSI RC4-HMAC(NT)

    The Users own Kerberos Ticket however is correctly based on AES-256-CTS-HMAC-SHA1-96

    Now I have to try figure out, why the Kerberos server is giving a RC4 based Kerberos ticket instead of AES-256...

    If anyone could provide some ideas of settings I should check please let me know :)

    Best Regards,

    Ville

    Tuesday, March 13, 2018 9:40 AM
  • I have observed the same behavior in later (2017) SSMS version as well.   Have you discovered a reason as to why SSMS will not request AES tickets?
    Friday, August 23, 2019 11:24 AM