Are you using the wrong Salt?

Not on your hot chips, but in your Active Directory environment. Server 2003 was a very robust and long living operating system. The trouble is, next year W2K3 support disappears . The latest version is of course Server 2012 R2, and it’s this huge gap of 11 years that is causing some issues as people migrate from Domain Controllers running W2K3 to Server 2012 R2. At the heart of it is the “salt” used:

“The Kerberos client depends on a “salt” from the KDC in order to create the AES keys on the client side. These AES keys are used to hash the password that the user enters on the client, and protect it in transit over the wire so that it can’t be intercepted and decrypted. The “salt” refers to information that is fed into the algorithm used to generate the keys, so that the KDC is able to verify the password hash and issue tickets to the user.

When a Windows 2012 R2 DC is promoted in an environment where Windows 2003 DCs are present, there is a mismatch in the encryption types that are supported on the KDCs and used for salting. Windows Server 2003 DCs do not support AES and Windows Server 2012 R2 DCs don’t support DES for salting.”

Fascinating! Read the full article on the ASKDS TechNet Blog


get IT right




Leave a comment

Filed under Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s