Re: Why is Windows 2003 Server forcing RC4 HMAC Encryption?

It sounds like your Weblogic server only does Kerberos with DES (meaning
that the service keys it holds only have DES encryption).

It also sounds like the KDC (Domain controller) has only got the shared
secret encrypted with RC4. This is preventing the two from negotiating an
available encryption type.

Two things would help. First, if you are using a service account for the
server, make sure the "Use DES encryption types for this account" is checked
in ADUC. Second, make sure you set the crypto option (/crypto) when you
create the keytab using ktpass.

Paul Nelson
Thursby Software Systems, Inc.

in article D098D53C-01D7-4686-9A09-29E69B1429E6@xxxxxxxxxxxxx, Mark Phillips
at Mark Phillips@xxxxxxxxxxxxxxxxxxxxxxxxx wrote on 12/19/06 7:40 AM:

Hello all,

I am trying to achieve single sign-on capabilities using a Weblogic server
running on an Win XP machine and the Active directory server running on a
Windows 2003 server.

I have set up the service pricipal (user running the Weblogic server) to use
DES encryption via the Active Directory dialog.
However it seems that the Windows 2003 Server is only ever sending a RC4
HMAC token when Weblogic is trying to validate the Service principal.

I have looked at the Microsoft support article which states that Win 2003
Server will always use the strongest encryption.
I have a newer dll than suggested and have implemented the registry change
with no effect. The win 2003 server is still returning RC4 HMAC tokens.

It seems that currently you cannot communicate using DES tokens with a Win
2003 Server from another windows machine. Is this true or have I done
something fundametally wrong?

Many thanks for your help.