Share via

Changing the ADFS service account options "this account supports kerberos AES ... "

Tilicho 6 Reputation points
2023-09-13T21:54:11.43+00:00

We are trying to join windows 2022 to 2012 R2 farm with WID and are encountering issues during pre-requisite checks.

One option that we are thinking of trying is to enable "this account supports Keberos AES 128 bit encryption" and "this account supports Keberos AES 128 bit encryption" in the account tab of the adfs service account in Active Directory.

The DCs, ADFS servers all have the RC4_HMAC_SHA1 , “AES128_HMAC_SHA1”, “AES256_HMAC_SHA1” set in the msds-supportedEncryptionTypes.

One would expect that one doesn't have to select these kerberos options in the account tab since RC4_HMAC_SHA1 , “AES128_HMAC_SHA1”, “AES256_HMAC_SHA1”, “Future encryption types” have been set through the group policy and these show up in msDS-supportedEncryptionTypes.

So the question is, if SSO encounters issues after setting two options in service account will unchecking be enough to get things working again? Does checking those options mean that the service account with henceforth use AES even if the application (thinking adfs 2012 r2) may not support AES? And, will unchecking it revert it to use the RC4?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,245 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,226 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wesley Li 6,760 Reputation points
    2023-09-28T12:25:37.7733333+00:00

    Hello

    Enabling the options “this account supports Kerberos AES 128 bit encryption” and “this account supports Kerberos AES 256 bit encryption” in the account tab of the ADFS service account in Active Directory could potentially change the encryption type used by the service account.

    If Single Sign-On (SSO) encounters issues after setting these two options, unchecking them might help to get things working again. However, this would depend on the specific issues encountered and the overall configuration of your system.

    Checking those options could mean that the service account will use AES encryption, even if the application (like ADFS 2012 R2) may not support AES. Unchecking it could potentially revert it to use the RC4, given that RC4_HMAC_SHA1 is set in the msds-supportedEncryptionTypes.

    0 comments
  2. Wesley Li 6,760 Reputation points
    2023-09-28T12:29:54.72+00:00

    Hello

    Enabling the options “this account supports Kerberos AES 128 bit encryption” and “this account supports Kerberos AES 256 bit encryption” in the account tab of the ADFS service account in Active Directory could potentially change the encryption type used by the service account.

    If Single Sign-On (SSO) encounters issues after setting these two options, unchecking them might help to get things working again. However, this would depend on the specific issues encountered and the overall configuration of your system.

    Checking those options could mean that the service account will use AES encryption, even if the application (like ADFS 2012 R2) may not support AES. Unchecking it could potentially revert it to use the RC4, given that RC4_HMAC_SHA1 is set in the msds-supportedEncryptionTypes.

    0 comments