none
windows server 2012打开组策略报错 RRS feed

  • 问题

  • I want to change the domain controller policy.

    Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options - Network security: Configure encryption types allowed for Kerberos.

    But, when I Using Group Policy Management, edit the Default Domain Controllers Policy as follows:


    Computer Configuration - Policies - Windows Settings - Security Settings

    Notice that an IP Security Policy Management error appears.

    A directory service error has occurred - (80072095)

    The current policy: Configure encryption types allowed for Kerberos.

    choose 

    DES-CBC-MD5

    DES-CBC-CRC

    2018年12月7日 9:59

全部回复

  • Hi,

    Thanks for your question.

    Actually, this behavior is by design:

    When the machine is the first setup, there is no AES key for the local account. So, when we promote the machine to be the first DC in a domain, the built-in account is converted into AD from local SAM. At this point, the system can't generate AES key, because the key list can only be generated when the password is set, note that we don't store the plaintext password in the system.

    This impacts all Kerberos authentications attempts when the user tries to connect to AD (IPSec Policy connect to AD via LDAP to retrieve its policy storage), and you will notice the following symptoms happened to the user who didn't change the password after the domain is setup (which typically means the built-in administrator account):

    a. No Kerberos ticket is available when you run Klist command.

    b. be prompted to enter the credential and the notification area after login.

    To fix the issue, change the password after the domain is setup, so that system will generate AES key in AD for the user.

    Best Regards,

    Lee


    Just do it.

    2018年12月10日 2:48
    版主
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    2018年12月11日 6:30
    版主
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    2018年12月24日 5:49
    版主
  • No, it cannot resolve my problem.  The problem remains unchanged.
    2019年1月5日 3:15