Guest

Preview Tool

Cisco Bug: CSCuo74136 - WSA AD realm setup does not permit Kerberos AES client service tickets

Last Modified

Nov 13, 2016

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

8.0.5-075

Description (partial)

Symptom:
When using Kerberos authentication with the WSA, by default the Active Directory server will not issue AES128 or AES256 tickets to clients, it will only issue DES or RC4 tickets.

Conditions:
The computer object that is created for the WSA when it joins an AD domain (2008 and later) contains two attributes that are used by AD to determine what encryption capabilities the server (WSA) has, and what types of service tickets it can issue to the client.  The attributes are 'msDS-SupportedEncryptionTypes' and 'operating SystemVersion'.  In the WSA computer object both of these attributes have null value by default.  These values are the reason that the AD server will only issue DES or RC4 tickets.  References:

http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx?Redirected=true

http://social.msdn.microsoft.com/Forums/en-US/21881c8d-57c3-43d3-88b6-6bda3c0abd97/failed-to-get-service-ticket-tgsreq-when-only-aes-enctypes-are-used?forum=os_windowsprotocols
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.