Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2019: Windows 2008 R2 does not support DES by default

Authentication Service ,  

12 April,16 at 11:06 AM

Applies to: All versions of Centrify DirectControl

Problem:

After upgrading to Windows 2008 R2, the following error is seen:

Kerberos ETYPE not supported from KDC


Cause:

Starting from Windows 2008 R2, the encryption type DES is no longer supported by default. 

Applications like NFSv4 and Oracle will fail when trying to get service ticket from a KDC/DC running on Win2008R2.


Workaround:

The registry below needs to be set on EVERY DC running Win2008R2 in the domain for it to work with DES. 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc]
"KdcUseRequestedEtypesForTickets"=dword:00000001



Solution:

Applications like NFSv4 will need to release new version which supports AES encryption type.

For more information, please see the following links:
If DES for NFSv4 is needed, then it will be necessary to fix both the adclient side, as well as AD side for enctype.

Win2003 -> Win2008 upgrades change the KRBTGT password hash. This operation invalidates all TGTs that were issued prior to upgrade.

Adclients need to be restarted by issuing the centrifydc restart command.