none
Windows 2008R2 DC's - Enable Use DES encryption for legacy applications

    Question

  •  Hi,

    We are migrating to Windows 2008 R2 our DCs. We have been checking the compatibility of our business applications and we have found that one of our vendors is requesting us that the‘Use DES encryption’ box is checked for all users that use the application.

    According to the article below the following needs to be done:

    -DES encryption is doesn't even come with Windows 2008 anymore and a hotfix needs to be installed in order to bring this to the OS (KB978055)
    -Our clients are Windows XP and I understand from the article that nothing needs to be done on the client since unless the clients are Windows7/Vista or Windows 2008.

    From what I am understanding overall for a Windows 2008R2 DCs / Windows XP clients this is what needs to be done:

    1.) Install KB978055 on the DCs
    2.) At the AD user account level enable "Use DES encryption type for this account"
    3.) Nothing has to be done at the client level since the clients are XP and are compatible with DES.

    I was wondering if someone has done something similar in a production env. before in order to enable authentication for legacy applications through this method? Could you please let me know if there are any other steps that we need to take in consideration?

    I am understanding that installing KB978055 will not change the type of authentication for ALL the domain users, instead DES will be used only for those that have enabled the "Use DES encryption type for this account" and the AD account level. Is that correct?

    Finally we will be migrating the clients soon to Windows 7 can you please let me know what needs to be done on the client side?  

    Thank you.

    --------------------------
    If you have applications that cannot get rid of DES, you can look at the steps required to enable DES support on the OS. There are two parts to this. First you will need to patch your 2008 domain controllers with KB978055. This gives the DC the ability to issue DES tickets. If your clients are windows 7 or 2008R2 server themselves, they will need to have some configuration changes. This can be done by a registry fix, or pushed by group policy. Refer to this article for that. When changing the client settings, be careful that you allow all of the required encryption types. If you use a GPO to turn on DES, and don't specify anything else, your machine will only use DES.


    http://myitpath.blogspot.com/2011/01/des-encryption-kerberos-and-2008-server.html
    • Changed type post Wednesday, April 27, 2011 2:23 PM
    Wednesday, April 27, 2011 1:30 PM

Answers

  • Hi,

     

    DES is not enabled by default in Windows 7 and Windows Server 2008 R2. In Windows 7 and Windows Server 2008 R2, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. The Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options.

     

    To answer your question, Windows XP is compatible with the full key length as follows:

    l  CALG_DES - 64 bits

    l  CALG_3DES_112 - 128 bits

    l  CALG_3DES - 192 bits

     

    If you check the “Use DES encryption types for this account”, it will use DES only.

     

    For the known issue regarding DES encryption, please refer to the following Microsoft KB and TechNet articles:

     

    An application that uses DES encryption for Kerberos authentication cannot run on a Windows XP-based client computer in a Windows Server 2008 domain

    http://support.microsoft.com/kb/2274102

     

    KDC Event ID 16 or 27 is logged if DES for Kerberos is disabled

    http://support.microsoft.com/kb/977321

     

    PRB: Cannot Decrypt Data Using Data Encryption Standard (DES) Key Across Windows Platforms

    http://support.microsoft.com/kb/331367

     

    AD DS: User accounts and trusts in this domain should not be configured for DES only

    http://technet.microsoft.com/en-us/library/ff646918(WS.10).aspx

     

    For more information, please also read the following Microsoft TechNet blog:

     

    Hunting down DES in order to securely deploy Kerberos

    http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support  in forum

    If you have any feedback on our support, please contact  tngfb@microsoft.com . 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, April 28, 2011 5:22 AM
    Moderator

All replies

  • Hi,

     

    DES is not enabled by default in Windows 7 and Windows Server 2008 R2. In Windows 7 and Windows Server 2008 R2, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. The Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options.

     

    To answer your question, Windows XP is compatible with the full key length as follows:

    l  CALG_DES - 64 bits

    l  CALG_3DES_112 - 128 bits

    l  CALG_3DES - 192 bits

     

    If you check the “Use DES encryption types for this account”, it will use DES only.

     

    For the known issue regarding DES encryption, please refer to the following Microsoft KB and TechNet articles:

     

    An application that uses DES encryption for Kerberos authentication cannot run on a Windows XP-based client computer in a Windows Server 2008 domain

    http://support.microsoft.com/kb/2274102

     

    KDC Event ID 16 or 27 is logged if DES for Kerberos is disabled

    http://support.microsoft.com/kb/977321

     

    PRB: Cannot Decrypt Data Using Data Encryption Standard (DES) Key Across Windows Platforms

    http://support.microsoft.com/kb/331367

     

    AD DS: User accounts and trusts in this domain should not be configured for DES only

    http://technet.microsoft.com/en-us/library/ff646918(WS.10).aspx

     

    For more information, please also read the following Microsoft TechNet blog:

     

    Hunting down DES in order to securely deploy Kerberos

    http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support  in forum

    If you have any feedback on our support, please contact  tngfb@microsoft.com . 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, April 28, 2011 5:22 AM
    Moderator
  • Hi,

    Thank you for your reply.

    I am still a little confused about the way that we have to enable DES. The questions I originally asked were:

    1.) Install KB978055 on the DCs  -- Is this a requirement for Windows 2008R2?

    2.) At the AD user account level enable "Use DES encryption type for this account" - Do we need to configure this? If so, would these be the only users using DES and the rest will go with the default Kerberos authentication for Windows 2008R2?

    3.) You have mentioned that the following has to be configured "The Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options" - Do we need to make this change on the local policy on the 2k8 DCs?

    Thursday, April 28, 2011 7:14 PM
  • Could someone please answer my questons? Thank you
    Friday, April 29, 2011 2:25 PM
  • Hi,

     

    Generally, if you encounter the same issue as the Microsoft KB article mentioned, you need to install the hotfix. Of course, you may also install it to avoid the issue.

     

    You need to enable "Use DES encryption type for this account" to use DES and the rest will go with the default Kerberos authentication for Windows 2008R2.

     

    The computers applied the Group Policy "The Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options" will use DES encryption when users log into.

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support  in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com . 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 03, 2011 8:20 AM
    Moderator
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support  in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com .


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, May 05, 2011 7:17 AM
    Moderator
  • Hi,

    I just wanted to verified one more thing.

    Where does "Computer Configuration\Security Settings\Local Policies\Security Options\" has to be enabled?

    We have to do it a the default domain controllers policy?

    Thank you.

    Thursday, May 05, 2011 12:53 PM
  • Hi,

     

    In Windows Server 2008 R2, the correct path is Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos.

     

    Please enable the above Group Policy to apply the DES encryption type to all computers that are running Windows 7 or Windows Server 2008 R2.

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support  in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com .


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, May 06, 2011 2:50 AM
    Moderator
  • Hi Arthur_Li,

     

    We have almost the same issue here but i have some domain controllers on windows 2008R2 SP1, a lot of them still on 2003 and 2 on 2000.
    I got a GPO in place to enable des for the domain controllers OU.

    I cannot install the patch on my windows 2008 R2 Sp1 machines because i get an error message saying " The update is not appplicable for the system"  Now i guess that is because of SP1, my files are newer than the ones in the patch.

    Can you tell me if there is a fix for SP1 aswell or that maybe my domain level, which is windows 2000 native at the moment, is not good enough and should be upgraded to windows 2003?

    I also enable the policy on a windows 7 OU, how can i see if DES is enabled, because kerbtray is not available.
    are there any tools i could use on windows 7 to test kerberos?

    Hope to hear from you.

    Regards,

    Erik van der Groef.

     

    Wednesday, September 21, 2011 12:18 PM