Mixed 2003/2008 Domain Controllers: Account Compromised

While working with a Blackberry Enterprise Server install which recommends setting user AD account options to “this account supports Kerberos AES xxx encryption” this setting is not supported in a mixed 2003/2008 AD environment. Be sure to only select the “Kerberos DES encryption” per the BES setup instructions. AES encryption is not supported in Server 2003 DCs, and setting an account that way may result in errors authentication or changing passwords because your computer will try to use the most secure method, AES 256 which the account is marked as supporting, but depending on which DC it hits (2003 or 2008) it may or may not work. Which made isolating the issue a bit harder because it wouldn’t consistently work/not work.

 A couple of symptoms you’ll observe is:

  • Sys-tray pop-up that you account may be compromised
  • Sys-tray pop-up asking you to lock and unlock your computer, and after you complete it, it prompts you again
  • Event ID 14: While processing an AS request for target service, the account did not have a suitable key for generating a Kerberos ticket
  • Event ID 40960: The Security System detected an authentication error for the server…the failure code from the authentication protocol was “(0x80080341)”.
  • Event ID 6: Automatic certificate enrollment for USER failed (0,80072095) A directory service error has occurred.

Of course this issue is not isolated to Blackberry installations but typical out of the box configurations do not have AES selected, so this issue only arises when you’re in a mixed environment and change the setting… and in this case, BES was the case for change.