Force Secure Kerberos Encryption on Zentyal

A few months ago, I switch from a Windows-based Active Directory environment and switch to a Linux alternative called Zentyal. And so far, everything works great. I was able to recreate my AD structure and recreate new group policies based on the ones from my old install.

The only thing I would recommend is taking plenty of backups of Zentyal especially before creating/modifying group policy. A few weeks ago I changed one setting which broke the SYSVOL share and when I tried to connect back to it with Windows Lightweight Active Directory Servies, it kept saying “Access Denied” even though I was logged into the Domain Admin account. Basically, I had to restore a backup to get the server up and running again

Getting back on track, to force Zentyal to use secure Kerberos encryption, we’ll need to make a backup and modify the group policy.

1. Open Group Policy Editor

Open the group policy editor and edit the “Default Domain Policy” and navigate to

  • Computer Configuration
    • Policies
      • Windows Settings
        • Security Settings
          • Local Policies
            • Security Options.

2. Define Settings

Open the Network security: Configure encryption types allowed for Kerberos, click Enabled, and check only AES 256-bit (AES-256) and Future Encryption options. Then click “OK” and exit the group policy.

3. Repeat for Default DC Policy

Next, we’ll need to edit the “Default Domain Controller Policy” and define the same settings. So follow the steps above to configure the encryption types.

4. Enforce Group Policy

Right-click on the “Default Domain Policy” and click “Enforce”. Repeat the same steps for the “Default Domain Controller Policy” and that’s it. Your Zentyal based AD is now more secure by using stronger encryption between clients.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.