Kerberos SSO does not work when RC4_HMAC_MD5 is disabled by policy

Version 2

    Verified Product Versions

    File Director 4.2File Director 4.3



    In an environment where Kerberos encryption algorithms are being manipulated by group policy, and where support for RC4_HMAC_MD5 encryption has been disabled, you may find that File Director clients fail to connect.

    A network trace between the endpoint and the ticket-granting server (the local domain controller) filtered on Kerberos will show the following error in response to the TGS-REQ request message:

    Screen Shot 2017-04-13 at 13.25.45.jpg



    This is caused by a mismatch between proposed and available Kerberos encryption types




    File Director currently supports the following kerberos encryption sets:






    From a Windows perspective, a user can typically only use AES or DES based encryption if these are specifically enabled from the user account options in Active Directory (only available on >2008R2).


    If RC4 has been disabled, please ensure that both the pre-authentication and end user accounts have the 'This account supports Kerberos AES 128 bit encryption' box checked.


    Note: Due to kerberos ticket caching, the setting changes may not take effect for some time


    To confirm the setting has taken effect you can run a 'klist' command from an un-elevated command prompt in the end user session and look out for an AES128 encrypted service ticket similar to the following:


    Screen Shot 2017-04-13 at 13.23.29.jpg



    Windows Configurations for Kerberos Supported Encryption Type – Microsoft Open Specifications Support Team Blog