I am dealing with the following situation, in which the granularity offered by Windows Server 2008, is insufficient in properly configuring my Kerberos environment. The use of RC4 by windows products is not enabling me to properly utilize services that support AES. The problem lies in the following configuration: I have a Windows XP client, a non-Windows based service that supports DES and AES, and a Windows Server 2008 running as the KDC. An environment that properly works for these systems is to configure both the client principal, whom logs on through the windows xp machine, and the service principal to be configured as "Use Kerberos DES encryption types for this account". However, now if I enable the following two options for the service principal, "This account support Kerberos AES 128 bit encryption" and "This account supports Kerberos AES 256 bit encryption", while still have the "Use Kerberos DES encryption types for this account" checked, this setting overrides the AES settings and other clients that support AES are forced to use DES encryption. Finally, and the configuration that relates to the problem, is now when I remove the "Use Kerberos DES..." option but still have the AES options selected, RC4 becomes a viable encryption type, which is not supported by the service. However, I have no way of (that I have found in looking through registries, attributes, and other possible environment configurations) to end up with a DES based session key to be used when connecting to the service that doesn't support RC4. I doesn't matter if the authentication with KDC (AS_REQ, AS_REP) is being performed with RC4, but there should be a way to specify that the service doesn't support RC4 such that the etypes reported by Windows XP (RC4, DES-CBC-CRC, DES-CBC-MD5) are compared to etypes supported by the service (DES-CBC-CRC, DES-CBC-MD5, AES128, AES256, other) and the session key returned from the TGS_REQ is using a DES based key, not RC4. Is there a way of disabling RC4 encryption for use in Kerberos, or is there a way of properly specifying that the service principle only supports the mentioned encryption types and I can ensure that the session key uses the appropriate encryption type? One attribute in particular I have tried playing with without seeing any effect is the msds-SupportedEncryptionTypes. This had no effect. Any and all help would be appreciated. Thanks!

Hi, Setting the registry entry KdcUseRequestedEtypesForTickets to 1 should help: 833708 KDC does not allow clients to specify an etype in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;EN-US;833708This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.