Hadoop and Kerberos encryption in AD

  • Last Post 17 August 2016
MatCollins posted this 16 August 2016


A third-party team is about to implement Cloudera hadoop in our existing AD and they have decided to implement it using RC4 encryption. For this to occur, I think we might need to allow this type of encryption for Kerberos using GPO, since by default it is not supported. (I am not a security guy, correct me if I am wrong!).

Has anyone ever tried enabling this encryption using GPO "Network security: Configure encryption types allowed for Kerberos" ? any compatibility issues with clients? Errors? 

I am open to any ideas toward this.


Order By: Standard | Newest | Votes
a-ko posted this 17 August 2016

They do two different things.  “RC4, AES 128, AES 256, Future Encryption Types” is the default configuration. DES is NOT enabled by default. “This Account supports AES-128/AES-256” does something a little different. This is basically an enforcement of the AES Encryption for this account when issuing Kerberos tickets. For the best security, I’d recommend setting the GPO to say “AES 128/AES 256/Future Encryption Types” + Enable Kerberos Armoring, FAST, Compound Authentication ; using the Protected Users group for key accounts (say, your Domain Admins), leveraging a Bastion Forest design, and issuing your domain controllers with the “Kerberos” Certificate Template from an AD-Integrated CA. Then issuing server and workstation certificates across the board (preferably v3 or v4 templates, but there’s still a lot of incompatibility with those template types so a v2 template is likely the most compatible option). 


  • Liked by
  • MatCollins
slavickp posted this 16 August 2016

Works as documented. Since it’s a regression, no impact on clients - and we have very large variety.


a-ko posted this 16 August 2016

I would recommend not enabling RC4. There are efforts underway to deprecate RC4 support in Kerberos from both MIT and Microsoft. https://tools.ietf.org/html/draft-kaduk-kitten-des-des-des-die-die-die-00 There will be no compatibility issues, but downgrade attacks are possible where Active Directory will accept an RC4 Kerberos Ticket. Also, RC4 Kerberos uses the NTLM Password Hash which can allow you to harvest the long term shared secrets (https://dirteam.com/sander/2014/07/15/security-thoughts-leveraging-ntlm-hashes-using-kerberos-rc4-hmac-encryption-aka-aorato-s-active-directory-vulnerability/) (the user’s password hash) and generate valid RC4 Kerberos tickets—without knowing what the password is. This isn’t a huge weakness in some cases (because most Windows environments will happily accept NTLM authentication anyway) but it could allow you to harvest a password hash to generate RC4 kerberos tickets and access accounts that are otherwise in the “Protected Users” special security group, or any principal that otherwise requires Kerberos authentication to successfully authenticate to the network. In short, you would not be required to know the user’s password prior to using the hash to generate valid RC4 Kerberos tickets. For targeted, specific accounts you’d like to protect you can go into AD and check the boxes that say “This account supports AES-128/AES-256”. This will prevent these accounts from being authenticated with RC4 Kerberos tickets even if the domain controller GPO says RC4 is otherwise fine. -Mike Cramer 


MatCollins posted this 17 August 2016

Thanks for all the replies. 

Mike, based on your thoughts, I believe then eighter we can enable AES with GPO in Kerberos, or use “This account supports AES-128/AES-256” checkbox in account tab of a user? Because AFAIK they both do the same thing. right?

MatCollins posted this 17 August 2016

I suppose it should be configured on 'Default Domain Controller' policy? or shall I create a separate GPO for this? 

Also in https://technet.microsoft.com/en-us/library/jj852180(v=ws.11).aspx and in "Countermeasure" section it says:

  • Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites.


Any ideas?