This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 1%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
I enabled RC4, AES128 and AES256 across all enabled computers and users in a domain/forest and now all tickets are encrypted with AES256, except those issued for SQL access. SQL 2016 servers run on Windows 2019 and SQL compatibility level is set to 130. I tried disabling RC4 for accounts running SQL service and SQL reporting service, but the end users kept receiving RC4 tickets and connecting successfully. When I disabled RC4 for the SQL computer, the end users were unable to connect to the SQL server.
Is there something in SQL that needs to be configured for AES to be used for Kerberos ticket encryption?
Thanks
Zoran
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
In order to narrow down the issue, would you please help collect the information below?
What's the functional level for your domain?
Is it a single domain in your environment?
Any trust created for the domain?
What's the error when you connect to the SQL server?
Best Regards,
FFL and DFL are Windows 2012 R2.
I have 4 forests, 2 with 2 domains and 2 with a single domain. The problem manifests in both cases.
There are no forest trusts, but there are domain trusts in the forests with multiple domains. Domain trusts are configured for RC4, AES128 and AES256 following the instructions from
https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust
I use udl file to test connection and, when SQL server is restricted to AES256, an error pops up: "Test connection failed because of an error in initializing provider. Cannot generate SSPI context".
Thanks
The problem was related to old user accounts created in pre-AES AD whose passwords were never reset. 2 password resets, with full AD replication in between, enables AES support.
I did some more testing and managed to eliminate SQL as a possible cause. I created a new gMSA account, registered SQL SPN and used it to run SQL service and SQL agent on a test server. Now when I restricted both gMSA and the server account to AES256, it still worked. So it seems it's something with the old SQL service account which has been around probably since Windows 2000, but it's not the only one from that time, but it's the only one causing this issue.
Replacing this account across the domain is a bit tricky as it has 1000+ SPNs registered, configured Kerberos delegation for dozens of apps etc, so preferred way would be to fix it at this stage.
Is there something in the account's setting that could prevent it from using AES for Kerberos encryption?
Thanks
Hi,
From my side, i would try to capture a network package and check more details about the whole Kerberos processes.
And confirm the error happened on which process.
Best Regards,
Hi,
Welcome to share your current situation.
Please feel free to let us know if you need further assistance.
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 44%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Hi,
First and foremost, if the server and the computers are in different domain, this behavior is expected as trust by default supports RC4.
If that is the case, you may need to enable AES from trust properties.
