Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1120: Using AES encryption with Windows 2008 domains

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:12 AM

Applies to: Centrify DirectControl 5.x and later

Question:

The Domain Controller is already at Win2008, but the environment is running an older version of DirectControl, (4.2.0 or lower).
Are there any best practices for upgrading DirectControl to 4.2.0 or later?


Answer:

Windows Server 2008 introduced a new encryption type, AES which can be used when Active Directory is running at Domain Controller Functional Level 2008.
DirectControl 4.2.0 and later supports AES encryption by default.

If upgrading from a previous version of Centrify DirectControl to 4.2.x, the following configurations are needed:

Enable AES encryption:
  1. Open the following file for editing:
    • /etc/centrifydc/centrifydc.conf
  2. Find the lines:
    • # adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
    • # adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
  3. Remove the comments and edit these two lines to include the aes256-cts and aes128-cts encryption types.
    • These two types need to be present for the adclient to support AES.
    • If AES is NOT required, then the two values should not be specified in these parameters.
    • This list is sequence sensitive; the first type in the list will be the preferred encryption type used, and so on.
    • Suggested edit:
      • adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
      • adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc arcfour-hmac-exp

Note: RC4 is the same as arcfour-hmac-md5 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.