Not 100% sure, but it seams that MIM will use any encryption - or rather windows will on MIM's behalf...
Our problem is thought to come from our customers domain-trusts not beeing set up to allow AES...
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Encountered an issue after building a new MIM system at a customer's. When sync'ing new users to a domain different than where our system is installed, it fails. I tried to set the unicodePwd, but received an error 'cd-error' - no details given. The user is created, but lacks a password, and is therefor disabled. This works flawlessly inside the domain where MIM is installed.
After some testing I find that the error comes from a new GPO that effectively disallows RC4 encryption for kerberos. Allowing RC4 fixes the issue.
The setting is under Computer\policies\Windows\Security\Local\Security:
Network security: Configure encryption types allowed for Kerberos
Is there a way to make MIM use a newer encryption, such as AES128 or AES 256?
Tried to select this on the user used by our AD MA, checking 'this account supports Kerberos AES 128/256 bit encryption' under Account, but don't see any improvement...
Not 100% sure, but it seams that MIM will use any encryption - or rather windows will on MIM's behalf...
Our problem is thought to come from our customers domain-trusts not beeing set up to allow AES...