Cisco Bug: CSCuo74136 - WSA AD realm setup does not permit Kerberos AES client service tickets

Last Modified

Nov 13, 2016

Products (1)

Cisco Web Security Appliance

Known Affected Releases

8.0.5-075

Description (partial)

Symptom:
When using Kerberos authentication with the WSA, by default the Active Directory server will not issue AES128 or AES256 tickets to clients, it will only issue DES or RC4 tickets.

Conditions:
The computer object that is created for the WSA when it joins an AD domain (2008 and later) contains two attributes that are used by AD to determine what encryption capabilities the server (WSA) has, and what types of service tickets it can issue to the client.  The attributes are 'msDS-SupportedEncryptionTypes' and 'operating SystemVersion'.  In the WSA computer object both of these attributes have null value by default.  These values are the reason that the AD server will only issue DES or RC4 tickets.  References:

http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx?Redirected=true

http://social.msdn.microsoft.com/Forums/en-US/21881c8d-57c3-43d3-88b6-6bda3c0abd97/failed-to-get-service-ticket-tgsreq-when-only-aes-enctypes-are-used?forum=os_windowsprotocols

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts