Chapter 5. Ensuring support for common encryption types in AD and RHEL

By default, Identity Management establishes a cross-realm trust with support for RC4, AES-128, and AES-256 Kerberos encryption types.

RC4 encryption has been deprecated and disabled by default, as it is considered less secure than the newer AES-128 and AES-256 encryption types. In contrast, Active Directory (AD) user credentials and trusts between AD domains support RC4 encryption and they might not support AES encryption types.

Without any common encryption types, communication between IdM and AD child domains might not work, or some AD accounts might not be able to authenticate. To remedy this situation, modify one of the following configurations:

Enable AES encryption support in Active Directory (recommended option)
To ensure trusts between AD domains in an AD forest support strong AES encryption types, see the following Microsoft article: AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain
Enable RC4 support in RHEL
On every IdM trust controller, trust agent, and client where authentication against AD Domain Controllers takes place:
  1. Use the update-crypto-policies command to enable the AD-SUPPORT-LEGACY cryptographic subpolicy in addition to the DEFAULT cryptographic policy.

    [root@host ~]# update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
    Setting system policy to DEFAULT:AD-SUPPORT-LEGACY
    Note: System-wide crypto policies are applied on application start-up.
    It is recommended to restart the system for the change of policies
    to fully take place.
  2. Restart the host.