SAP Single Sign On Issues with Windows Server 2008 R2 Domain Controllers

By default, Data Encryption Standard (DES) encryption for Kerberos authentication is disabled  in Windows Server 2008 R2, this is a change from Windows Server 2003. If you are running an application which uses DES encryption for Kerberos application, such as SAP, then you may see issues authenticating users against 2008 R2 DCs. You will see errors in the System Log like the below for the users in question:

“While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5.”

To resolve this issue you need to make the Group Policy change to allow DES encryption for Kerberos authentication on the DCs, documented in this KB http://support.microsoft.com/kb/977321.

  1. In the Group Policy Management Console (GPMC), locate the following location:

    Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options

  2. Click to select the Network security: Configure encryption types allowed for Kerberos option.

  3. Click to select Define these policy settings and all the six check boxes for the encryption types.

  4. Click OK. Close the GPMC.

To be able to make this change, you need to have first installed the following hotfix, http://support.microsoft.com/kb/978055 . This fix is included in Windows Server 2008 R2 SP1, so if you have installed that you are already good to go.

A good discussion of this issue and further steps you may need to take with service accounts can be found here:

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8/