Don't know about stripping down the ciphers, but in lab you could simply test this. The ClearPass computer account in AD is only used for MSCHAPv2 authentication, so not for the LDAP BIND. With MSCHAPv2 being deprecated, use EAP-TLS instead wherever possible, this may be a non-issue if the domain join is just removed.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 27, 2022 11:49 AM
From: Nick Kershaw
Subject: CPPM AD machine account - Support for Kerberos DES weak encryption - Active Directory msDS-SupportedEncryptionTypes
Hello all,
Has anyone else come across this AD attribute msDS-SupportedEncryptionTypes - being enabled to support DES when adding policy manager to a domain?
I noticed that all the machine accounts for our clearpass policy manager servers has DES encryption as supported - obviously that's a very weak encryption type that we don't want available.
msDS-SupportedEncryptionTypes = 31 (0x1F)
From here Decrypting the Selection of Supported Kerberos Encryption Types - Microsoft Tech Community - I can see 31 means all (DES+A1:C33_CBC_MD5, DES_CBC_MD5, RC4, AES 128, AES 256) are supported.
Has anyone successfully changed this, to say 24 - which is just AES 128/256? No other machine accounts have 31 set, domain controllers are set to 28 (2012R2 domain).
From my understanding this is set on the initial add to Active Directory & ldap bind. As we've had CPPM a while, I wonder if newer versions add to the domain with a different setting?