search

microsoft / CSS-Exchange

Exchange Server support tools and scripts
MIT License
1.22k stars 341 forks source link

Health Checker - msDS-SupportedEncryptionTypes #1137

Open bill-long opened 2 years ago

bill-long commented 2 years ago

It is becoming commonplace to disable RC4 encryption for Kerberos. This is typically accomplished with the following group policy:

image

When RC4 is disabled, an Exchange server will use AES with Kerberos when authenticating an LDAP connection. That works fine as long as it's talking to a DC in its own domain.

However, when Exchange tries to talk to a DC in a different domain (for example, if a GC in a different domain is in the local site), this can be a problem, because AES is not enabled on trusts by default.

image

When RC4 is disabled, and this checkbox is not checked, Exchange will experience LDAP_LOCAL_ERROR when attempting to establish an LDAP connection to a DC in that domain. A network capture will show KRB5KDC_ERR_ETYPE_NOSUPP error in the Kerberos response. This issue is also described here: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/unsupported-etype-error-accessing-trusted-domain

We could potentially check for this issue with the following logic:

  1. Check the security policy on the Exchange server. If RC4 is not allowed, then:
  2. Check the DCs we have in the local site. If we have DCs for domains other than the one the Exchange server is joined to, then:
  3. For all such domains, check msDS-SupportedEncryptionTypes:
Get-ADObject -filter {objectclass -eq 'trustedDomain'} -Properties msDS-SupportedEncryptionTypes | Select-Object -Property DistinguishedName, Name, msDS-SupportedEncryptionTypes

DistinguishedName                              Name             msDS-SupportedEncryptionTypes
-----------------                              ----             -----------------------------
CN=child.lab5.local,CN=System,DC=lab5,DC=local child.lab5.local                            24
CN=tree5.local,CN=System,DC=lab5,DC=local      tree5.local

0/not set = RC4, 24 = AES, 28 = RC4 or AES. So if this is 0 or not set, flag it in that scenario.

dpaulson45 commented 1 year ago

Also need to include this test within SetupAssist as well, this appears to cause issues with trying to install Exchange that makes it so it would appear that you don't have the correct group membership.

image