ESXi host Kerberos authentication uses RC4 encryption 0x17 instead of AES 0x12

search cancel

ESXi host Kerberos authentication uses RC4 encryption 0x17 instead of AES 0x12

book

Article ID: 399639

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

After configuring ESXi to authenticate with Active Directory, the ESXi host uses RC4 encryption for authentication by default.

Cause

The RC4 configuration is part of the default configuration for ESXi.

Resolution

To successfully migrate ESXi Kerberos authentication RC4 (0x17) to AES (0x12) encryption, perform the following steps to synchronize the host configuration with the Active Directory object.

Edit the /etc/kbr5.conf file in ESXi : To remove the RC4 encryption protocol

SSH to the target host
Back up the "/etc/krb5.conf" file to a safe place

Edit /etc/krb5.conf, removing the keyword "RC4-HMAC" from the lines configuring "default_tgs_enctypes", "default_tkt_enctypes", and "preferred_enctypes".

Before:

[libdefaults]
   default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
   default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
   preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
   allow_weak_crypto = true

After:

[libdefaults]
   default_tgs_enctypes = AES256-CTS AES128-CTS 
   default_tkt_enctypes = AES256-CTS AES128-CTS 
   preferred_enctypes = AES256-CTS AES128-CTS  
   allow_weak_crypto = true

Edit the file and set the "disable_modifications" value to "true"

Before:

[likewise]
  disable_modifications = false
  version = 1

After:

[likewise]
  disable_modifications = true
  version = 1

Save the changes and perform a graceful reboot of the ESXi host using "reboot" command

Note: Configuration changes will not be saved if a force reboot of the ESXi host is performed using "reboot -f" command. If the issue persists, contact Broadcom support.

Feedback

thumb_up Yes

thumb_down No