User Cannot Pass Identity Authentication Due to Incorrect Encryption Algorithm Setting

Publication Date:  2012-07-27 Views:  149 Downloads:  0
Issue Description

The DSM interworks with the Microsoft AD domain controller. The OS of the Microsoft AD domain controller is Microsoft Windows Server 2008 and that of the terminal host installed with the DSM client is Microsoft Windows 7. After logging in to the OS with a Microsoft AD domain account, the terminal user selects the current domain account for automatic identity authentication. Microsoft AD domain accounts cannot pass the identity authentication.

Alarm Information
Handling Process
You need to correctly create an authentication account according to the creation operation. After the authentication account is successfully created, you should use the default encryption algorithm, that is, ensure that msDS-SupportedEncryptionTypes of the authentication account is set to not set. Figure 1 shows the interface.
Figure 1 Default encryption algorithm of the authentication account

If the encryption algorithm of Microsoft Windows 7 is incorrectly specified, perform the following steps:
1. Log in to Microsoft Windows 7 with the Administrator account.
2. Open the Run window.
3. Enter gpedit.msc, and click OK.
The Local Computer Policy Editor window is displayed.
4. In the navigation tree, choose Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
5. Right-click Network security:Configure encryption types allowed for Kerberos in the right window and select Properties.
6. Deselect AES128_HMAC_SHA1 and AES256_HMAC_SHA1 on the Local Security Settings tab.
Figure 2 shows the interface.
Figure 2 Deselecting AES128_HMAC_SHA1 and AES256_HMAC_SHA1

7. Click OK.
8. Close the Local Computer Policy Editor window and authenticate again.
Root Cause

The encryption algorithm setting of the authentication account is incorrect, or that of the Microsoft Windows 7 OS is incorrect.