Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2098: How to configure Windows 2008 R2 to support DES/nfsv4?

Authentication Service ,  

12 April,16 at 11:12 AM

Applies to:
All versions of Centrify DirectControl.
Is it possible to get Nfsv4 to work with W2k03 Domain functional level with mixed  Windows 2003 and Windows 2008 R2 DCs?
With domain function level = W2003, with mixed W2003 and W2008R2 DC, it is possible to make DES work and thus support NFSv4. 
Note: Newer nfs-utils (RHEL6) can work with arcfour but at the time of writing of this KB, Centrify is not sure about other flavors of RHEL.
Steps needed on AD side: 
(1) Microsoft KB-978055 
You need the hot fix installed on W2008R2 to fix a bug in KDC. Note: This hot fix may not be needed if SP1 is installed. Please contact Microsoft for further assistance as this link was provided as a courtesy only.
(2) Microsoft KB-977321 
The KB tells how to enable DES encryption for Kerberos authentication in Windows 7 and in Windows Server 2008 R2. You need to fix the GP to allow DES encryption types.  Please contact Microsoft for further assistance as this link was provided as a courtesy only.
With the above 2 steps, Window 2008R2 will now support DES. 
Note: The registry hack (KdcUseRequestedEtypesForTickets) in Microsoft KB-833708 ( is NOT needed. 
Steps on the Centrify Unix server side (you need to be root): 
(3) You need to instruct Centrify adclient to ask for DES tickets (if this is not already in place): 
(a) In /etc/centrifydc/centrifydc.conf, move des encryption to the front as shown below. 
adclient.krb5.tkt.encryption.types: des-cbc-md5 des-cbc-crc arcfour-hmac-md5 
aes256-cts aes128-cts 
adclient.krb5.permitted.encryption.types: des-cbc-md5 des-cbc-crc 
arcfour-hmac-md5 aes256-cts aes128-cts 
(b) In /etc/krb5.conf (or /etc/krb5/krb5.conf, depending on the OS), move DES encryption to the front: 
default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
(4) Remove /var/centrifydc/kset.preferred.enctype (if its content is not for DES already).
(5) Restart adclient (/etc/init.d/centrifydc restart). 
(6) You should see 
- /var/centrifydc/kset.preferred.enctype now shows one of the flavor of DES encryption. 
- adclient is running with DES machine credential (TGT). 
- when AD user login, kerberos credential should also use DES encryption. 
(7) Please see KB-1849 (KB-1849: How to configure NFSv4 with Kerberos)

Note: If customers need DES for NFSv4, then they need to fix both adclient side, as well as AD side for enctype.

W2003->W2008 upgrade changes KRBTGT password hash. This invalidates all TGT that were issued prior to upgrade.


adclients need to be restarted by issuing centrifydc restart command.