R
RRSIT
Hello,
This article from 2011 describes how kerberos encryption types can be controlled on user and computer accounts by setting LDAP attributes, checkboxes in the user account properties, and via GPO.
We would like to disable RC4 in our domain and only leave AES enabled. Following the article, section three states
"In Windows 7/Windows Server 2008R2, a new policy setting is introduced for specifying the encryption types allowed for Kerberos. This is a system wide global setting that will affect all the accounts on the computer where the policy is applied."
so, when we utilize GPO to make the corresponding setting as explained, what about the 3 checkboxes in the user account properties, and the LDAP flag of the computer accounts? are they still effective?
i tried the procedure in a fresh 2016 lab domain. everything works fine, with the GPO disabling RC4, leaving AES enabled. no checkboxes on my test account has been checked. no ldap attributes have been modified.
also, when i check klist, i see that kerberos tickets are already issued with AES256, not just in the lab domain, also in our production environment where i didn't even make the GPO yet.
do i understand this correctly - these settings are there for legacy reasons and no longer have any effect?
Continue reading...
This article from 2011 describes how kerberos encryption types can be controlled on user and computer accounts by setting LDAP attributes, checkboxes in the user account properties, and via GPO.
We would like to disable RC4 in our domain and only leave AES enabled. Following the article, section three states
"In Windows 7/Windows Server 2008R2, a new policy setting is introduced for specifying the encryption types allowed for Kerberos. This is a system wide global setting that will affect all the accounts on the computer where the policy is applied."
so, when we utilize GPO to make the corresponding setting as explained, what about the 3 checkboxes in the user account properties, and the LDAP flag of the computer accounts? are they still effective?
i tried the procedure in a fresh 2016 lab domain. everything works fine, with the GPO disabling RC4, leaving AES enabled. no checkboxes on my test account has been checked. no ldap attributes have been modified.
also, when i check klist, i see that kerberos tickets are already issued with AES256, not just in the lab domain, also in our production environment where i didn't even make the GPO yet.
do i understand this correctly - these settings are there for legacy reasons and no longer have any effect?
Continue reading...