question

JosephTarbit-3060 avatar image
0 Votes"
JosephTarbit-3060 asked JosephTarbit-3060 commented

Windows Server 2019 AD not correctly negotiating Kerberos encryption type

I have configured “Network security: Configure encryption types allowed for Kerberos” and selected RC4 along with both AES options however RC4 does not get enabled unless I uncheck every other option apart from RC4. I’m testing this by using a Windows XP client however this obviously affects many other applications that also only support RC4 encryption, including a lot of Linux clients.

I assume what’s going on is Windows is attempting to authenticate using a higher encryption type than what the requesting client support aka even though the server has RC4 enabled, it doesn’t use it unless it’s the only enabled encryption type. It works in Windows Server 2016 however something in 2019 is preventing the correct encryption type from being negotiated.

I’ve tried setting the registry key Kerberos/Parameters/DefaultEncryptionType to RC4 but it doesn’t help.

windows-active-directorywindows-server-2019
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered JosephTarbit-3060 commented

Hi,
Since the Windows XP is not supported ,so i didn't have a environment for test the compatibility issues.
Also, due to there are not updates and patches for the XP clients, you may have other unexpected compatibility issues.
Here ,i would suggest you upgrade the cilents.
Best Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is unrelated to XP, I was just using that to test it. This is a problem with Windows Server that causes issues with many other clients that use the RC4 cipher for Kerberos encryption. The behaviour should match Windows Server 2016, however it does not and no changes to it have been documented besides the fact that RC4 is disabled be default, however even after enabling it via the GPO I specified above, it does not behave correctly.

0 Votes 0 ·