Mixed 2003/2008 Domain Controllers: Account Compromised

While working with a Blackberry Enterprise Server install which recommends setting user AD account options to “this account supports Kerberos AES xxx encryption” this setting is not supported in a mixed 2003/2008 AD environment. Be sure to only select the “Kerberos DES encryption” per the BES setup instructions. AES encryption is not supported in Server 2003 DCs, and setting an account that way may result in errors authentication or changing passwords because your computer will try to use the most secure method, AES 256 which the account is marked as supporting, but depending on which DC it hits (2003 or 2008) it may or may not work. Which made isolating the issue a bit harder because it wouldn’t consistently work/not work.

 A couple of symptoms you’ll observe is:

  • Sys-tray pop-up that you account may be compromised
  • Sys-tray pop-up asking you to lock and unlock your computer, and after you complete it, it prompts you again
  • Event ID 14: While processing an AS request for target service, the account did not have a suitable key for generating a Kerberos ticket
  • Event ID 40960: The Security System detected an authentication error for the server…the failure code from the authentication protocol was “(0x80080341)”.
  • Event ID 6: Automatic certificate enrollment for USER failed (0,80072095) A directory service error has occurred.

Of course this issue is not isolated to Blackberry installations but typical out of the box configurations do not have AES selected, so this issue only arises when you’re in a mixed environment and change the setting… and in this case, BES was the case for change.

Working with .admx templates within legacy Windows 2000/2003 Domains

As many of you know, Vista/W7/2008 all use .admx files, and while server 2008 already has the correct group policy templates, what if you have a client which is still running on just Windows 2000/2003 domain controllers and you need access to the .admx templates for IE8 or Vista/W7 policy changes.

All you need in that environment is an Vista/W7/2008 system (does not need to be a DC) and you can install the Group Policy Management Console (GPMC) – which is part of the Remote Server Administration Tools (RSAT). From there, you can load the new ADMX files, such as inetres.admx for IE8, and manage those policies even on a legacy domain.

One more note of caution. You’ll want/need to use that system for all future GP changes since the GPMC in 2003 will not know how to read/change the newer policy templates.


Powered by WordPress.com.

Up ↑