Sync: cd-error when trying to set unicodePwd cross-domain - Kerberos RC4 denied.

SteinIP 271 Reputation points

Encountered an issue after building a new MIM system at a customer's. When sync'ing new users to a domain different than where our system is installed, it fails. I tried to set the unicodePwd, but received an error 'cd-error' - no details given. The user is created, but lacks a password, and is therefor disabled. This works flawlessly inside the domain where MIM is installed.

After some testing I find that the error comes from a new GPO that effectively disallows RC4 encryption for kerberos. Allowing RC4 fixes the issue.

The setting is under Computer\policies\Windows\Security\Local\Security:
Network security: Configure encryption types allowed for Kerberos

Is there a way to make MIM use a newer encryption, such as AES128 or AES 256?

Tried to select this on the user used by our AD MA, checking 'this account supports Kerberos AES 128/256 bit encryption' under Account, but don't see any improvement...

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
567 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SteinIP 271 Reputation points

    Not 100% sure, but it seams that MIM will use any encryption - or rather windows will on MIM's behalf...

    Our problem is thought to come from our customers domain-trusts not beeing set up to allow AES...

    0 comments No comments