Windows 7/2008 Kerberos Default Encryption and Windows 2003/2000

Reading Time: 2 minutes

With the latest o/s release Microsoft modified the default encryption method from RC4 to AES when first attempt to commenicate with a Ticket Granting Ticket Service Request.  As long as the client whether it be Windows 7 or Windows 2008, communicates with a Windows 2008 R2 Domain Controller (DC) everything is all good.  However if the client talks to a Windows 2003/2000 DC then the default of the client is AES and these DC's don't speak in AES.  The clients are intelligent enough to then attempt other encryption methods but the DC will generate an error 27 in the System Event log, giving you the impression that you have problems, as seen below.

Event Type: Error Event Source: KDC Event Category: None Event ID: 27 Date:  9/28/2010 Time:  1:21:04 PM User:  N/A Computer: DC   Description: While processing a TGS request for the target server krbtgt/DOMAIN.COM, the account Windows7Client@MNPOWER.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The key to this mystery is the line "The requested etype were 18."  This etype is defined in the RFC3962, http://www.ietf.org/rfc/rfc3962.txt.

Unfortuantely there is no way to stop the Event Log errors, so you will have to modify the default value the clients start with when attempting a Kerberos session.

 

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

Value Name:  DefaultEncryptionTypeValue

Type:  Reg_DWORD

Value Data:  0x17(23)

This will now set RC4 as the default value and still allows AES if needed.

 

Since I have a mid-sized environment that was continuously adding new Win7 clients I wasn't about to ask our pc support staff to manually change the registry since that would be a difficult task and once we are up to Windows 2008 R2 FFL, I would like my default to be AES once again.  So I decided to build a WMI Group Policy and apply it to our Workstations OU. Make sure that under the "Common" tab of the new registry key to be sure to select "Remove this item when it is no longer needed", this will then remove the entry if the client doesn't have the policy applied against it.

So I built a preference GPO with the registry settings above and applied it to all my Win7 clients via the WMI Filter below:

select * from Win32_OperatingSystem where Version like "6.1%" and ProductType = "1"

 

How to apply a WMI Filter
http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx

Note:
This will capture both 2008 R2 and Windows 7 Clients so if you only want to apply this against Windows 7, make sure that the GPO is linked to an OU that doesn't contain Windows 2008 R2 servers.

Thanks to Mark Parris for his invaluable assistance in this blog.