Security

 View Only
  • 1.  CPPM AD machine account - Support for Kerberos DES weak encryption - Active Directory msDS-SupportedEncryptionTypes

    Posted May 27, 2022 11:49 AM
    Hello all,

    Has anyone else come across this AD attribute msDS-SupportedEncryptionTypes - being enabled to support DES when adding policy manager to a domain?

    I noticed that all the machine accounts for our clearpass policy manager servers has DES encryption as supported - obviously that's a very weak encryption type that we don't want available.

    msDS-SupportedEncryptionTypes = 31 (0x1F)

    From here Decrypting the Selection of Supported Kerberos Encryption Types - Microsoft Tech Community - I can see 31 means all (DES+A1:C33_CBC_MD5, DES_CBC_MD5, RC4, AES 128, AES 256) are supported.

    Has anyone successfully changed this, to say 24 - which is just AES 128/256?  No other machine accounts have 31 set, domain controllers are set to 28 (2012R2 domain).

    From my understanding this is set on the initial add to Active Directory & ldap bind.  As we've had CPPM a while, I wonder if newer versions add to the domain with a different setting?


  • 2.  RE: CPPM AD machine account - Support for Kerberos DES weak encryption - Active Directory msDS-SupportedEncryptionTypes

    Posted Jun 07, 2022 09:54 AM
    Don't know about stripping down the ciphers, but in lab you could simply test this. The ClearPass computer account in AD is only used for MSCHAPv2 authentication, so not for the LDAP BIND. With MSCHAPv2 being deprecated, use EAP-TLS instead wherever possible, this may be a non-issue if the domain join is just removed.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: CPPM AD machine account - Support for Kerberos DES weak encryption - Active Directory msDS-SupportedEncryptionTypes

    Posted Dec 08, 2023 07:27 AM

    Hello,

    My apologies to hijack the topic, but has anyone been able to test the  msDS-SupportedEncryptionTypes change for the Clearpass AD accounts? We've noticed the same when running security checks. PEAP-MSCHAPv2 is still needed for some authentications so we can't remove the accounts just yet.

    Thanks,

    Kris




  • 4.  RE: CPPM AD machine account - Support for Kerberos DES weak encryption - Active Directory msDS-SupportedEncryptionTypes
    Best Answer

    Posted Dec 08, 2023 07:44 AM

    Hi,

    Sorry I should have bothered to update the discussion.

    I successfully changed this to 28 (RC4 / AES128 / AES256) without issue for all our CPPM computer accounts.  I think if I remember correctly, there was an issue setting it to just AES, RC4 was needed at that point - although likely to have changed since.
    We've still got it as 28 for CPPM, although we have since removed RC4 from domain controllers (setting to 24) without causing any CPPM issues.

    Cheers.




  • 5.  RE: CPPM AD machine account - Support for Kerberos DES weak encryption - Active Directory msDS-SupportedEncryptionTypes

    Posted Dec 08, 2023 08:26 AM

    Thanks!

    Kris