On my network I have 2 DCs-Win2003 R2 and Win2008 (not R2) I need to enable Des Encryption (DES_CBC_MD5 and DES_CBC_CRC) so a handful of Win 7 clients can login to Oracle Apps through IE8 without needing to manually enter network credentials (Most of our clients are XP and don't need to do this). I did a test on enabling this on my Win 7 client and it worked (Oracel Login) but after that i can not login to the network "username and password incorrect". I assume that it can't authenticate because DES is not working on the Servers. I have read around the internet and understand that With Windows 7 and Server 2008 R2 DES encryption is not enabled by default. So my questions are this: 1. Since I am not running a 2008 R2 DC, shouldn't DES be working anyway? 2. If not, how do we enable it. 3. If I do enable it, will there potentially be any issues with the XP clients, or will they use DES automatically? 4. If not, do I need to use a GPO to get all clients to use DES? My main comncern is that If i enable it on my DCs, will I have login issues with all clients. Tks

How did you enable this on the client?Sumesh P - Microsoft Online Community Support

While i research further, Please see if this answers your query: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8/ http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/80a5845c-aa74-4baf-9c05-8733ffcd0545/ http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/d91b3433-e6b5-4789-80a3-9f02d64178f4/ FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain http://support.microsoft.com/kb/978055 Sumesh P - Microsoft Online Community Support

DES is not enabled by default in Windows 7 and Windows Server 2008 R2. Enabling DES encryption types for Kerberos In Windows 7 and Windows Server 2008 R2, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. The Configure encryption types allowed for Kerberos policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options Hunting down DES in order to securely deploy Kerberos http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx 245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030 http://blogs.technet.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx Sumesh P - Microsoft Online Community Support

Thanks for all that info....however most of it doesn't seem appropriate as we do not have a 2008 R2 DC, only 2008 std. So I still do not understand what the issue is. When I enable the DES setting in group policy on the Win 7 client, it can login to the Oracle application. When i reboot the client however, it can no longer log on to the domain, i get 'The username or password is incorrect' every time I try. Even if I tick the 'Use kerberos DES encryption types.....' in the user account setting sit makes no difference. Help