Hi
I am trying to make everything authenticate with AES256 in our domain(s)
However, one service account(used with MIM) still authenticates with RC4. The traffic is between two domains. Other traffic between the domains is AES256.
I have run
ksetup /setenctypeattr <trustingdomain> RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
on both domains and verified ok in adsi edit. It also made almost everything use AES256 encryption
Also checked the service account and ticked:
"this account supports kerberos aes128bit encryption"
"this account supports kerberos aes256bit encryption"
And restarted the service on MIM server. But it still authenticates with RC4.
I checked the domain controllers and found in secpol.msc:
network security: configure encryption types allowed for kerberos
I then removed RC4 but then the MIM server started complaining with this event:
An unexpected error has occurred during a password set operation.
"BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): admaexport.cpp(4207): The Kerberos change operation failed: 0xc00002fd
ERR_: MMS(7848): ..\ma.cpp(8531): ExportPasswordSet failed with 0x80004005
Forefront Identity Manager 4.4.1302.0"
So I guess I can't force it that way.
The service account is from 2009 and has a service principal name made with "setspn" command.
Microsoft Identity Manager Password ChangeNotification Service (PCNS) is installed on domain controllers and PCNSCFG commands has been used with the account.
Domain Functional level/Forest functional level on both domains: above 2008
Forefront Identity Manager version: 4.4.1302.0
Microsoft Identity Manager Password Change Notification Service Version: 4.3.1935.0
Just thinking of stuff that might be related.
Any thoughts?
I am trying to make everything authenticate with AES256 in our domain(s)
However, one service account(used with MIM) still authenticates with RC4. The traffic is between two domains. Other traffic between the domains is AES256.
I have run
ksetup /setenctypeattr <trustingdomain> RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
on both domains and verified ok in adsi edit. It also made almost everything use AES256 encryption
Also checked the service account and ticked:
"this account supports kerberos aes128bit encryption"
"this account supports kerberos aes256bit encryption"
And restarted the service on MIM server. But it still authenticates with RC4.
I checked the domain controllers and found in secpol.msc:
network security: configure encryption types allowed for kerberos
I then removed RC4 but then the MIM server started complaining with this event:
An unexpected error has occurred during a password set operation.
"BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): admaexport.cpp(4207): The Kerberos change operation failed: 0xc00002fd
ERR_: MMS(7848): ..\ma.cpp(8531): ExportPasswordSet failed with 0x80004005
Forefront Identity Manager 4.4.1302.0"
So I guess I can't force it that way.
The service account is from 2009 and has a service principal name made with "setspn" command.
Microsoft Identity Manager Password ChangeNotification Service (PCNS) is installed on domain controllers and PCNSCFG commands has been used with the account.
Domain Functional level/Forest functional level on both domains: above 2008
Forefront Identity Manager version: 4.4.1302.0
Microsoft Identity Manager Password Change Notification Service Version: 4.3.1935.0
Just thinking of stuff that might be related.
Any thoughts?