Question:

The Domain Controller is already at Win2008, but the environment is running an older version of DirectControl, (4.2.0 or lower). Are there any best practices for upgrading DirectControl to 4.2.0 or later?


Answer:

Windows Server 2008 introduced a new encryption type, AES which can be used when Active Directory is running at Domain Controller Functional Level 2008. DirectControl 4.2.0 and later supports AES encryption by default.

If upgrading from a previous version of Centrify DirectControl to 4.2.x, the following configurations are needed:

Enable AES encryption:

1. Open the following file for editing:
   • /etc/centrifydc/centrifydc.conf
2. Find the lines:
   • # adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
   • # adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
3. Remove the comments and edit these two lines to include the aes256-cts and aes128-cts encryption types.
   • These two types need to be present for the adclient to support AES.
   • If AES is NOT required, then the two values should not be specified in these parameters.
   • This list is sequence sensitive; the first type in the list will be the preferred encryption type used, and so on.
   • Suggested edit:
     • adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
     • adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc arcfour-hmac-exp

Note: RC4 is the same as arcfour-hmac-md5