Submitting forms on the support site are temporary unavailable for schedule maintenance. If you need immediate assistance please contact technical support. We apologize for the inconvenience.
This command helps check trusts for AES enablement:
/opt/quest/bin/vastool kinit host/; for d in `/opt/quest/bin/vastool info domains`; do echo $d; /opt/quest/bin/vastool search -b "cn=system,`echo $d | sed -e 's/\(.*\)/DC=\1/' -e 's/\./,DC=/g'`" -s one "(objectClass=trustedDomain)" dn msds-supportedencryptiontypes; echo; done
If nothing is set, the default behavior depends on the Windows server version of the DC and the state of the changes from:
The krbtgt account will also need to be AES enabled if not already.
Please look to Microsoft articles for further guidance on setting up AD properly for AES.
STEPS for SAS clients:
Run the following commands on each host. This could be automated in a script GPO: # This tells AD to only give out AES128/256 encrypted tickets for the computer object host/<fqdn> service. /opt/quest/bin/vastool -u host/ setattrs host/ msds-supportedencryptiontypes 24
# This tells SAS/vastool to only request AES tickets for user's logging in with a password. /opt/quest/bin/vastool configure vas libdefaults default_etypes aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
# This sets up vasd to remove rc4 keys during each password change so there is no way SAS could validate an rc4 key if AD provided one. printf '#!/bin/sh\n/opt/quest/bin/vastool ktutil remove -e arcfour-hmac-md5\n' > /opt/quest/libexec/vas/scripts/remove_rc4.sh chmod +x /opt/quest/libexec/vas/scripts/remove_rc4.sh /opt/quest/bin/vastool configure vas vasd password-change-script /opt/quest/libexec/vas/scripts/remove_rc4.sh
# Wait for vasd parent process to see the vas.conf changes from above before continuing sleep 31
# Have host/ rotate it's password and impliment the new script /opt/quest/bin/vastool -u host/ passwd -r
# Verify that there are no keys other than AES in the keytab. /opt/quest/bin/vastool ktutil list
# Use host/ as both a user and a user logging into host/ as a service to check ticket etypes. /opt/quest/bin/vastool kinit -S host/ host/ /opt/quest/bin/vastool klist -v
NOTE: If a keytab for a service account was created with < QAS 4.1.5 the AES keys could be salted incorrectly, breaking them. The password / keytab should be re-made with a newer SAS version or generated from a Windows system.
변경 요청
438458
추가 정보
There are plans to implement an AES-only configuration feature in a future version of SAS.
For reference, the change request ID for this feature is 438458.
This KB is to assist in meeting audit requirements that are needed before that is released.