Why is Windows 2003 Server forcing RC4 HMAC Encryption?

Why is Windows 2003 Server forcing RC4 HMAC Encryption?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Why is Windows 2003 Server forcing RC4 HMAC Encryption? Mark Phillips 12-19-2006
Posted by =?Utf-8?B?TWFyayBQaGlsbGlwcw== on December 19, 2006, 8:40 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello all,

I am trying to achieve single sign-on capabilities using a Weblogic server
running on an Win XP machine and the Active directory server running on a
Windows 2003 server.

I have set up the service pricipal (user running the Weblogic server) to use
DES encryption via the Active Directory dialog.
However it seems that the Windows 2003 Server is only ever sending a RC4
HMAC token when Weblogic is trying to validate the Service principal.

I have looked at the Microsoft support article which states that Win 2003
Server will always use the strongest encryption.
http://support.microsoft.com/kb/833708
I have a newer dll than suggested and have implemented the registry change
with no effect. The win 2003 server is still returning RC4 HMAC tokens.

It seems that currently you cannot communicate using DES tokens with a Win
2003 Server from another windows machine. Is this true or have I done
something fundametally wrong?

Many thanks for your help.

Mark

Posted by S. Pidgorny on December 20, 2006, 5:47 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Mark, I don't have the answer (and probably won't have) but you may have
better chance to have your question answered if you tell the group:

* Is the story about Kerberos tickets encryption?
* Which "Active Directory dialog"?

At very least we could suggest appropriate diagnostic tools having that
information.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> Hello all,
>
> I am trying to achieve single sign-on capabilities using a Weblogic server
> running on an Win XP machine and the Active directory server running on a
> Windows 2003 server.
>
> I have set up the service pricipal (user running the Weblogic server) to
> use
> DES encryption via the Active Directory dialog.
> However it seems that the Windows 2003 Server is only ever sending a RC4
> HMAC token when Weblogic is trying to validate the Service principal.
>
> I have looked at the Microsoft support article which states that Win 2003
> Server will always use the strongest encryption.
> http://support.microsoft.com/kb/833708
> I have a newer dll than suggested and have implemented the registry change
> with no effect. The win 2003 server is still returning RC4 HMAC tokens.
>
> It seems that currently you cannot communicate using DES tokens with a Win
> 2003 Server from another windows machine. Is this true or have I done
> something fundametally wrong?
>
> Many thanks for your help.
>
> Mark



Posted by =?Utf-8?B?TWFyayBQaGlsbGlwcw== on December 20, 2006, 11:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Thankyou for the reply.

The extra info is...

The dialog is the Active Directory Users and Computers. This is where I
created a 'user' to eventually be a Service Principal using the 'Setspn'
command.

I do create a Kerberos ticket for this Service Principal user. I have tried
both 'keytab' and 'ktpass' commands to create these keys with still the same
effect. I only have des-cbc-md5 des-cbc-crc declared as my enctypes in my
krb5.ini file. I assume Weblogic uses this kerberos ticket when communicating
with the Active Directory KDC.

The Weblogic server uses Java JDK 1.5 to run it and currently this cannot
parse RC4 HMAC encryptions, only DES. I think JDK 6 does do RC4 HMAC
decryptions but Weblogic will not run with Java 6 yet.

Thankyou

Mark

"S. Pidgorny <MVP>" wrote:

> Mark, I don't have the answer (and probably won't have) but you may have
> better chance to have your question answered if you tell the group:
>
> * Is the story about Kerberos tickets encryption?
> * Which "Active Directory dialog"?
>
> At very least we could suggest appropriate diagnostic tools having that
> information.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> > Hello all,
> >
> > I am trying to achieve single sign-on capabilities using a Weblogic server
> > running on an Win XP machine and the Active directory server running on a
> > Windows 2003 server.
> >
> > I have set up the service pricipal (user running the Weblogic server) to
> > use
> > DES encryption via the Active Directory dialog.
> > However it seems that the Windows 2003 Server is only ever sending a RC4
> > HMAC token when Weblogic is trying to validate the Service principal.
> >
> > I have looked at the Microsoft support article which states that Win 2003
> > Server will always use the strongest encryption.
> > http://support.microsoft.com/kb/833708
> > I have a newer dll than suggested and have implemented the registry change
> > with no effect. The win 2003 server is still returning RC4 HMAC tokens.
> >
> > It seems that currently you cannot communicate using DES tokens with a Win
> > 2003 Server from another windows machine. Is this true or have I done
> > something fundametally wrong?
> >
> > Many thanks for your help.
> >
> > Mark
>
>
>

Posted by Paul Nelson on December 20, 2006, 11:09 am
If you were  Registered and logged in, you could reply and use other advanced thread options
It sounds like your Weblogic server only does Kerberos with DES (meaning
that the service keys it holds only have DES encryption).

It also sounds like the KDC (Domain controller) has only got the shared
secret encrypted with RC4. This is preventing the two from negotiating an
available encryption type.

Two things would help. First, if you are using a service account for the
server, make sure the "Use DES encryption types for this account" is checked
in ADUC. Second, make sure you set the crypto option (/crypto) when you
create the keytab using ktpass.

Paul Nelson
Thursby Software Systems, Inc.


in article D098D53C-01D7-4686-9A09-29E69B1429E6@microsoft.com, Mark Phillips
at Mark Phillips@discussions.microsoft.com wrote on 12/19/06 7:40 AM:

> Hello all,
>
> I am trying to achieve single sign-on capabilities using a Weblogic server
> running on an Win XP machine and the Active directory server running on a
> Windows 2003 server.
>
> I have set up the service pricipal (user running the Weblogic server) to use
> DES encryption via the Active Directory dialog.
> However it seems that the Windows 2003 Server is only ever sending a RC4
> HMAC token when Weblogic is trying to validate the Service principal.
>
> I have looked at the Microsoft support article which states that Win 2003
> Server will always use the strongest encryption.
> http://support.microsoft.com/kb/833708
> I have a newer dll than suggested and have implemented the registry change
> with no effect. The win 2003 server is still returning RC4 HMAC tokens.
>
> It seems that currently you cannot communicate using DES tokens with a Win
> 2003 Server from another windows machine. Is this true or have I done
> something fundametally wrong?
>
> Many thanks for your help.
>
> Mark


Posted by =?Utf-8?B?TWFyayBQaGlsbGlwcw== on December 21, 2006, 9:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello Paul,

I have double checked that the User Prinicpal does have "Use DES encryption
types for this account" checked and I also created the keytab file again
using ktpass using the -crypto des-cbc-md5 option.

I am still getting the same errors:
"Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC".

It seems that every configuration and key creation I have tried has lead to
the same fundametal error that the Win 2003 Server KDC is not sending
Weblogic a DES based token.

Thankyou for the advice.

Mark

"Paul Nelson" wrote:

> It sounds like your Weblogic server only does Kerberos with DES (meaning
> that the service keys it holds only have DES encryption).
>
> It also sounds like the KDC (Domain controller) has only got the shared
> secret encrypted with RC4. This is preventing the two from negotiating an
> available encryption type.
>
> Two things would help. First, if you are using a service account for the
> server, make sure the "Use DES encryption types for this account" is checked
> in ADUC. Second, make sure you set the crypto option (/crypto) when you
> create the keytab using ktpass.
>
> Paul Nelson
> Thursby Software Systems, Inc.
>
>
> in article D098D53C-01D7-4686-9A09-29E69B1429E6@microsoft.com, Mark Phillips
> at Mark Phillips@discussions.microsoft.com wrote on 12/19/06 7:40 AM:
>
> > Hello all,
> >
> > I am trying to achieve single sign-on capabilities using a Weblogic server
> > running on an Win XP machine and the Active directory server running on a
> > Windows 2003 server.
> >
> > I have set up the service pricipal (user running the Weblogic server) to use
> > DES encryption via the Active Directory dialog.
> > However it seems that the Windows 2003 Server is only ever sending a RC4
> > HMAC token when Weblogic is trying to validate the Service principal.
> >
> > I have looked at the Microsoft support article which states that Win 2003
> > Server will always use the strongest encryption.
> > http://support.microsoft.com/kb/833708
> > I have a newer dll than suggested and have implemented the registry change
> > with no effect. The win 2003 server is still returning RC4 HMAC tokens.
> >
> > It seems that currently you cannot communicate using DES tokens with a Win
> > 2003 Server from another windows machine. Is this true or have I done
> > something fundametally wrong?
> >
> > Many thanks for your help.
> >
> > Mark
>
>

Similar ThreadsPosted
Can not use UNC path in Windows server 2003 server 64 bit OS September 30, 2005, 4:19 pm
Windows Update fails on Windows 2003 server June 23, 2005, 7:27 pm
RE: WIndows Server 2003 July 29, 2005, 12:16 am
Windows 2003 server SP1 September 16, 2005, 12:06 am
Windows Update v6 on 2003 server going nowhere June 28, 2005, 7:42 pm
Windows Server 2003 autolock August 15, 2005, 12:03 am
windows server 2003 and folders December 27, 2005, 7:01 pm
windows 2003 server logon April 10, 2006, 4:36 am
windows 2003 server shuts down October 21, 2006, 9:00 am
Services - Windows Server 2003 R2 November 6, 2006, 10:48 am

The site map in XML format XML site map

Contact Us | Privacy Policy