Chapter 5. Ensuring support for common encryption types in AD and RHEL
By default, Identity Management establishes a cross-realm trust with support for RC4, AES-128, and AES-256 Kerberos encryption types.
RC4 encryption has been deprecated and disabled by default, as it is considered less secure than the newer AES-128 and AES-256 encryption types. In contrast, Active Directory (AD) user credentials and trusts between AD domains support RC4 encryption and they might not support AES encryption types.
Without any common encryption types, communication between IdM and AD child domains might not work, or some AD accounts might not be able to authenticate. To remedy this situation, modify one of the following configurations:
- Enable AES encryption support in Active Directory (recommended option)
- To ensure trusts between AD domains in an AD forest support strong AES encryption types, see the following Microsoft article: AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain
- Enable RC4 support in RHEL
- On every IdM trust controller, trust agent, and client where authentication against AD Domain Controllers takes place:
update-crypto-policiescommand to enable the
AD-SUPPORT-LEGACYcryptographic subpolicy in addition to the
[root@host ~]# update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY Setting system policy to DEFAULT:AD-SUPPORT-LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
- Restart the host.