6

We recently changed the Group Policy setting "Network security: Configure encryption types allowed for Kerberos" to only include AES-128, AES-256, and Future Encryption types, removing the old selection that had RC4 enabled. The domain is a 2008 R2 functional level with one 12R2 DC and one 16 DC. Now the DCs are failing to replicate. I re-enabled RC4 in the GPO, but both of our DCs fail to update to the new GPO, with an error saying they can not authenticate.

Any ideas? The network is pretty much down for the users at the moment.

m314
  • 63
  • 3
  • 1
    I wonder if this happened because your domain's "krbtgt" account is so old that it doesn't have AES keys stored. (I would reset it, and use 'klist' to make sure you are able to obtain AES-based tickets.) – user1686 Oct 29 '20 at 06:44

1 Answers1

6

EDIT :

Try (explanation in comments)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Type: REG_DWORD Value data : 2147483647 (Decimal)

Explanation :

-On my Test DC, i've configured the policy in question to allow all encryption types. Looking at my folder where GPO items are saved : C:\Windows\SYSVOL\sysvol\domain\policies\ There is an folder named by its object name newly created. If i open this folder and then go to Machine > Microsoft > Windows NT > Secedit > GptTmpl.ini < open this file There you can see the registry setting my policy sets. In my case it is : \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Type: REG_DWORD Value data : 2147483647 (Decimal)

-You can try setting that registry key to that value, and it should do the same as the GPO object does.

-Dont forget to restrict the policy to what encryption types you want, as the registry setting enables all.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
Martinos
  • 181
  • 7
  • I tried that, but unfortunately the local policy shows the current setting, but is greyed out, preventing me from changing it. There must be a registry key that could be changed, but not sure what I would set it to, to re-enable RC4. – m314 Oct 26 '20 at 14:31
  • On my Test DC, i've configured the policy in question to allow all encryption types. Looking at my folder where GPO items are saved : C:\Windows\SYSVOL\sysvol\domain\policies\ There is an folder named by its object name newly created. If i open this folder and then go to Machine > Microsoft > Windows NT > Secedit > GptTmpl.ini < open this file There you can see the registry setting my policy sets. In my case it is : \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Type: REG_DWORD Value data : 2147483647 (Decimal) – Martinos Oct 26 '20 at 14:50
  • You can try setting that registry key to that value, and it should do the same as the GPO object does. – Martinos Oct 26 '20 at 14:51
  • Updated the reg key and gpupdate worked immediately. Successfully replicated too. Thank you so much! – m314 Oct 26 '20 at 15:02
  • Glad to help, dont forget to restrict the policy to what encryption types you want, as the registry setting enables all. – Martinos Oct 26 '20 at 15:05