This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 1%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Encountered an issue after building a new MIM system at a customer's. When sync'ing new users to a domain different than where our system is installed, it fails. I tried to set the unicodePwd, but received an error 'cd-error' - no details given. The user is created, but lacks a password, and is therefor disabled. This works flawlessly inside the domain where MIM is installed.
After some testing I find that the error comes from a new GPO that effectively disallows RC4 encryption for kerberos. Allowing RC4 fixes the issue.
The setting is under Computer\policies\Windows\Security\Local\Security:
Network security: Configure encryption types allowed for Kerberos
Is there a way to make MIM use a newer encryption, such as AES128 or AES 256?
Tried to select this on the user used by our AD MA, checking 'this account supports Kerberos AES 128/256 bit encryption' under Account, but don't see any improvement...
Not 100% sure, but it seams that MIM will use any encryption - or rather windows will on MIM's behalf...
Our problem is thought to come from our customers domain-trusts not beeing set up to allow AES...