View this page in English

Censornet - internet filtering on your terms

BECTA Accredited products VMWare Certified Virtual Appliance Members of the Internet Watch Foundation Shortlisted for the BETT 2008 Awards Computer Security Awards finalist
Chat online now or call +44 (0) 845 230 9590 for help & advice

Search knowledge base

Product specific

Home » Knowledge base » Transparent Kerberos issues on Windows 7 machines

Transparent Kerberos issues on Windows 7 machines

August 19, 2011 • Customer Services       
Synopsis

XP clients can auth fine against the domain, but Windows Vista/7 clients can not. 

Article

Cause: The Vista & 7 clients deafault to using AES kerberos keys, which should be supported, however, for some reason some domains running in mixed mode, or 2003/2000 mode don't work properly with them.

Solution: Log into the CensorNet command line as root and run:

nano /usr/lib/cnv4/set_auth_config_negotiate.sh

 

First edit these lines:

default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

 

So that they now read:

default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

 

Then, find the first line that starts with the "msktutil" command and using the arrow keys move to the end of the line. Change the "--enctypes 28" to "--enctypes 23".

Save this using crtl+o and exit using ctrl+x.

Now on your Active Directory machine, locate the censornet computer object and delete it. Then set up the Transparent Kerberos authentication again. Make sure that everyone logs out and back in again, and everything should work as normal.

 

Related articles


Last modified on Mon, August 22, 2011 « Back