Kerberos SSO does not work when RC4_HMAC_MD5 is disabled by policy

Version 2

    Verified Product Versions

    AppSense DataNow 4.2AppSense File Director 4.3

    Introduction

     

    In an environment where Kerberos encryption algorithms are being manipulated by group policy, and where support for RC4_HMAC_MD5 encryption has been disabled, you may find that File Director clients fail to connect.

    A network trace between the endpoint and the ticket-granting server (the local domain controller) filtered on Kerberos will show the following error in response to the TGS-REQ request message:

    Screen Shot 2017-04-13 at 13.25.45.jpg

    "KRB5KDC_ERR_ETYPE_NOSUPP"

     

    This is caused by a mismatch between proposed and available Kerberos encryption types

     

     

    Detail

    File Director currently supports the following kerberos encryption sets:

     

    aes128-cts

    rc4-hmac

    des3-cbc-sha1

     

    From a Windows perspective, a user can typically only use AES or DES based encryption if these are specifically enabled from the user account options in Active Directory (only available on >2008R2).

     

    If RC4 has been disabled, please ensure that both the pre-authentication and end user accounts have the 'This account supports Kerberos AES 128 bit encryption' box checked.

     

    Note: Due to kerberos ticket caching, the setting changes may not take effect for some time

     

    To confirm the setting has taken effect you can run a 'klist' command from an un-elevated command prompt in the end user session and look out for an AES128 encrypted service ticket similar to the following:

     

    Screen Shot 2017-04-13 at 13.23.29.jpg

     

    References

    Windows Configurations for Kerberos Supported Encryption Type – Microsoft Open Specifications Support Team Blog