Changes for AES encryption on AD

Changed value for key of win_security_policy Enabled encryption methods using ksetup on AD domains. Signed-off-by: Anuja More <[email protected]>
freeipa · Jul 3, 2020 · 47c117a · 47c117a
1 parent a72f3de
commit 47c117a
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 12 deletions.
diff --git a/ansible/provision_ad.yml b/ansible/provision_ad.yml
@@ -35,6 +35,21 @@
   roles:
     - windows/ad-subdomain
 
+- hosts: ad-root
+  any_errors_fatal: true
+  tasks:
+    - name: Force AES encryption types on a trust to child domain
+      win_shell: ksetup /setenctypeattr "{{ ad_child_domain }}" RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
+
+    - name: Force AES encryption types on a trust to tree domain
+      win_shell: ksetup /setenctypeattr "{{ ad_tree_domain }}" RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
+
+- hosts: ad-child,ad-tree
+  any_errors_fatal: true
+  tasks:
+    - name: Force AES encryption types on a trust to parent domain
+      win_shell: ksetup /setenctypeattr "{{ ad_root_domain }}" RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
+
 - hosts: ad-root,ad-child,ad-tree
   vars:
     ansible_user: Administrator

diff --git a/ansible/roles/windows/ad-root/tasks/main.yml b/ansible/roles/windows/ad-root/tasks/main.yml
@@ -5,12 +5,6 @@
     safe_mode_password: "{{ safe_mode_password }}"
   register: win_root_domain
 
-- name: Enforce AES encryption
-  win_security_policy:
-    section: Registry Values
-    key: "MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\SupportedEncryptionTypes"
-    value: 4,2147483640
-
 - name: Reboot Windows
   win_reboot:
     test_command: 'Get-ADUser -Filter {Name -eq "Administrator"}'

diff --git a/ansible/roles/windows/ad-subdomain/tasks/main.yml b/ansible/roles/windows/ad-subdomain/tasks/main.yml
@@ -34,11 +34,5 @@
     win_reboot:
       test_command: 'Get-ADUser -Filter {Name -eq "Administrator"}'
 
-  - name: Enforce AES encryption
-    win_security_policy:
-      section: Registry Values
-      key: "MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\SupportedEncryptionTypes"
-      value: 4,2147483640
-
   - name: reset Administartor password
     win_shell: net user Administrator Secret123
diff --git a/ansible/roles/windows/common/tasks/main.yml b/ansible/roles/windows/common/tasks/main.yml
@@ -26,3 +26,9 @@
 
 - name: install sshd
   include_role: name=windows/sshd
+
+- name: Enforce AES encryption
+  win_security_policy:
+    section: Registry Values
+    key: "MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\SupportedEncryptionTypes"
+    value: 4,2147483644