Cisco Bug: CSCuo74136 - WSA AD realm setup does not permit Kerberos AES client service tickets
Last Modified
Nov 13, 2016
Products (1)
- Cisco Web Security Appliance
Known Affected Releases
8.0.5-075
Description (partial)
Symptom: When using Kerberos authentication with the WSA, by default the Active Directory server will not issue AES128 or AES256 tickets to clients, it will only issue DES or RC4 tickets. Conditions: The computer object that is created for the WSA when it joins an AD domain (2008 and later) contains two attributes that are used by AD to determine what encryption capabilities the server (WSA) has, and what types of service tickets it can issue to the client. The attributes are 'msDS-SupportedEncryptionTypes' and 'operating SystemVersion'. In the WSA computer object both of these attributes have null value by default. These values are the reason that the AD server will only issue DES or RC4 tickets. References: http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx?Redirected=true http://social.msdn.microsoft.com/Forums/en-US/21881c8d-57c3-43d3-88b6-6bda3c0abd97/failed-to-get-service-ticket-tgsreq-when-only-aes-enctypes-are-used?forum=os_windowsprotocols
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases