we are trying to setup SSO for our IBM I/5 (as400). We have a Windows 2008 R2 Domain in Windows 2003 mode. We still have a couple of windows 2003 DC's. THe problem lies here in: XP machines we enabled Local Machine security settings: Security settings > Local Policies > Security Options> network security:Configure Encryption Types allow for kerebos: in the policy i have enabled DES_CBC_CRC and DES_CBC_MD5. The windows XP machines work great with SSO to IBM server. THe problem appears in Windows 7 machines. We have two issues, one if the user is allowed to log in, the computer continually asks to enter user credintials. I read there is a registry key to fix this, but it does not work. The larger issue is that once the securtiy policy on windows 7 machines is enabled, no one can log in to the machine except a domain admin with a cached account. Do i need to enable this policy on the domain controllers too? If so how with this affect the windows xp machines? How with affect vista clients? ThanksAdamadam Lussier

I know this is a bit late in replying as I found this article on the web while searching about the AS400's antiquated encryption methodologys in regards to Kerberos (which who knows if they will ever fix since those boxes are in a very small/niche markets and are not very common and not worth their time to update I'm sure). At anyrate, we have one of these old AS400 clunkers that require DES_CBC_CRC and DES_CBC_MD5 and we had to get our domain controllers upgraded to 2008 R2 and we deployed the updates via group policy so it went down to all the machines. AFAIK this domain policy setting only affects windows 2008 R2 and WIndows 7 machines as the setting "Configure Encryption Types allow for kerberos" only shows up on 2008 R2 and Windows 7 machines and is enabled by default on WIndows XP, 2008, Vista machines by default. Theres more details here: http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx And more details here: http://support.microsoft.com/kb/977321 Hopefully IBM will update their kerberos SSO stuff to support better encryption in the future, but i'm not betting the farm on it.Dynamics GP SSIS Toolkit and XML SSIS Toolkit. Visit http://www.keelio.com for more information.