Hey everyone, Theron (aka T-) here, Senior Consultant with Microsoft Consulting Services (MCS).
I was working with a customer recently to help migrate their Microsoft BitLocker Administration and Monitoring (MBAM) front-end server to Server 2019, and ran into an issue that isn’t related to Server 2019 in particular, but instead the new security posture the customer is implementing for that OS in their environment.
Note: MBAM isn’t officially supported with Server 2019, so if you want to give it a shot, proceed at your own risk.
The issue occurred after the new server was configured and communicating with the databases. Once we started directing clients to the new MBAM server, we started seeing the following in their EventLog:
As you can see, that event is pretty generic and even referencing this didn’t help. So, onto the MBAM server’s EventLog, maybe that’ll help. Here’s what we were seeing:
Well, that’s a bit more helpful, at least it points us to look at something in particular, the SPN. There’s more details about the event here.
I knew the SPNs were configured correctly, so that couldn’t be it. For more info re: MBAM SPNs, refer to this.
As I stared at the event, something struck me as odd…
The encryption type requested is not supported by the KDC.
Well, that didn’t make any sense…we were using the same service account with the new server as was with the server being replaced, and it worked fine before. So, what’s going on?!?!
Then, in a moment of great, albeit brief clarity and to be honest, possible genius*, I remembered that the customer, believe it or not, followed our recommendation of disabling a legacy Kerberos encryption type for their Server 2019 implementation…RC4. Here’s information for doing that.
We made a change to the MBAM front-end server allowing the use of RC4 and voila, the issues were gone and clients could escrow their key and report compliance data.
Now, you may be asking “Why did enabling RC4 solve the issue?” and you’d be asking a very good question. One that right at this moment, I don’t have an answer for, but it’s on my long list of things to do… figure it out.
Stay safe and Roll Tide!!
T-
*– I kid, I kid, I joke, I joke.
You must log in to post a comment.