Re: Why is Windows 2003 Server forcing RC4 HMAC Encryption?



It sounds like your Weblogic server only does Kerberos with DES (meaning
that the service keys it holds only have DES encryption).

It also sounds like the KDC (Domain controller) has only got the shared
secret encrypted with RC4. This is preventing the two from negotiating an
available encryption type.

Two things would help. First, if you are using a service account for the
server, make sure the "Use DES encryption types for this account" is checked
in ADUC. Second, make sure you set the crypto option (/crypto) when you
create the keytab using ktpass.

Paul Nelson
Thursby Software Systems, Inc.


in article D098D53C-01D7-4686-9A09-29E69B1429E6@xxxxxxxxxxxxx, Mark Phillips
at Mark Phillips@xxxxxxxxxxxxxxxxxxxxxxxxx wrote on 12/19/06 7:40 AM:

Hello all,

I am trying to achieve single sign-on capabilities using a Weblogic server
running on an Win XP machine and the Active directory server running on a
Windows 2003 server.

I have set up the service pricipal (user running the Weblogic server) to use
DES encryption via the Active Directory dialog.
However it seems that the Windows 2003 Server is only ever sending a RC4
HMAC token when Weblogic is trying to validate the Service principal.

I have looked at the Microsoft support article which states that Win 2003
Server will always use the strongest encryption.
http://support.microsoft.com/kb/833708
I have a newer dll than suggested and have implemented the registry change
with no effect. The win 2003 server is still returning RC4 HMAC tokens.

It seems that currently you cannot communicate using DES tokens with a Win
2003 Server from another windows machine. Is this true or have I done
something fundametally wrong?

Many thanks for your help.

Mark

.



Relevant Pages

  • Re: Auto-update protocol
    ... shared secret/public key is the only way to do the encryption. ... successfully decryption is the authentication. ... you can get using a generic farm server, but TFTP does not have any ... are available and forgo client polling at all ... ...
    (comp.arch.embedded)
  • [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise management system for large amounts of HP ... The web server is a modular service ... HP Web JetAdmin uses it's own encryption. ...
    (Securiteam)
  • Re: Advice needed on secure remote datacenter and secure communication
    ... fair bit of time working with windows server, ... as for VPN, ... Addressing your issue with PGP encryption on sensitive files, ...
    (alt.computer.security)
  • Re: Best way to get large files from a friend?
    ... |> people have "no reasonable expectation of privacy" with email. ... it moves from server to server to get to ... the vpn can intercept it without cracking the encryption. ... able to read people's emails unless there's a *really* good reason, ...
    (rec.photo.digital)
  • Re: Proposal for Lite Encryption for Login Form without SSL
    ... the form uses javascript to hash the password ... This way the password is not sent to the server ... This would be the equivalent to a public key in public key encryption ...
    (comp.lang.php)