How do I get Kerberos to use AES-encrypted tickets?
Article ID: 166109
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
I want Kerberos tickets to be encrypted with AES rather than the standard RC4.
Kerberos AES is only supported in Windows Vista or newer and Windows Server 2008 or newer.
Resolution
To configure the ProxySG to use AES for the Kerberos tickets, you need to support AES Kerberos tickets for both the BCAAA and the end users.
The property for supporting Kerberos AES can be found in the user properties for the Active Directory account running BCAAA.
#
To verify that Kerberos is using AES, take a packet capture and look for aes256-cts-hmac-sha1-96, as displayed in the screenshot below:
Feedback
Yes
No
Powered by
