Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1645: Using AES encryption with Windows 2008 domains

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:12 AM

Question:

The Domain Controller is already at Win2008, but the environment is running an older version of DirectControl, (4.2.0 or lower). Are there any best practices for upgrading DirectControl to 4.2.0 or later?


Answer:

Windows Server 2008 introduced a new encryption type, AES which can be used when Active Directory is running at Domain Controller Functional Level 2008. DirectControl 4.2.0 and later supports AES encryption by default.

If upgrading from a previous version of Centrify DirectControl to 4.2.x, the following configurations are needed:

Enable AES encryption:
  1. Open the following file for editing:
    • /etc/centrifydc/centrifydc.conf
  2. Find the lines:
    • # adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
    • # adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
  3. Remove the comments and edit these two lines to include the aes256-cts and aes128-cts encryption types.
    • These two types need to be present for the adclient to support AES.
    • If AES is NOT required, then the two values should not be specified in these parameters.
    • This list is sequence sensitive; the first type in the list will be the preferred encryption type used, and so on.
    • Suggested edit:
      • adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
      • adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc arcfour-hmac-exp

Note: RC4 is the same as arcfour-hmac-md5 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-1619: Unable to login after raising the Domain/Forest level to 2008 articleKB-2098: How to configure Windows 2008 R2 to support DES/nfsv4? articleKB-6041: How to show current license type in use by adclient? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-1550: Windows Event ID: 26 gets reported in Domain Controller event log from Unix/Linux machines running Centrify DirectControl articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-2018: Upgrade Domain Controller from W2K3 to W2K8/W2K8R2 articleKB-8218: What encryption type is Centrify DirectControl agent using to communicate with the DC?