This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
MsDS-SupportedEncryptionTypes
MsDS-SupportedEncryptionTypes

Version management

Difference between version and

At line 1 added 155 lines
!!! Overview[1]
[{$pagename}] is the [encryption] [algorithms] supported by user, computer or trust accounts.
The [KDC] uses [{$pagename}] information while generating a [Service Ticket] for this account. Services and Computers can automatically update this attribute on their respective accounts in [Microsoft Active Directory], and therefore need write [access] [Permission] to this attribute.
!! [{$pagename}] Values
[{$pagename}] values are defined in [Kerberos Encryption Types] (like [Cipher Suites])
When editing the [{$pagename}] attribute, you have to combine the appropriate [bits] to get an [integer] value for the attribute
Additionally the [UserAccountControl] attribute, you [SHOULD] also remove the [Windows registry] [USE_DES_KEY_ONLY] (0x200000) bit to disable forcing the use of [DES] key.
Decoding [{$pagename}] [Bitmask]:
* 0x01 - [DES]-[CBC]-[CRC]
* 0x02 - [DES]-[CBC]-[MD5]
* 0x04 - [RC4]-[HMAC]
* 0x08 - [AES128|AES-128]-CTS-[HMAC]-[SHA1]-96 [Hash Function] with mac truncated to 96 [bits]
* 0x10 - [AES256|AES-256]-CTS-[HMAC]-[SHA1]-96 [Hash Function] with mac truncated to 96 [bits]
!! [LDAP] [Microsoft Active Directory] [Attribute] Definition
The [{$pagename}] [AttributeTypes] is defined as:
* [OID] of [1.2.840.113556.1.4.1963]
* [NAME|Attribute-Name]: [{$pagename}]
* [DESC]:
* [OBSOLETE flag] (only if present)
* [Supertype]:
** (only if present)
* [EQUALITY]: []
* [ORDERING]: []
* [SYNTAX]: [2.5.5.9]
* [SINGLE-VALUE]
* [USAGE]: [UserApplications]
* [Extended Flags]:
** [X-SYSTEMFLAGS]: [FLAG_SCHEMA_BASE_OBJECT]
** [X-SCHEMAFLAGSEx]: [FLAG_ATTR_IS_CRITICAL]
** [X-ORIGIN]: [MSDN]
* Used as [MUST] in:
**
* Used [MAY] in:
**
!! Allowed [Kerberos Encryption Types] Local [Group Policy Object] Setting
In [Windows 7]/[Windows Server 2008 R2], a new [Group Policy Object] setting is introduced for specifying the [encryption] types allowed for [Kerberos]. This is a system wide global setting that will affect all the accounts on the computer where the policy is applied. With this setting, we can enable and disable the encryption/decryption capability of each Crypto system (AES256, AES128, RC4, DES etc). In this way, even an individual [encryption] type is included in the supported encryption type list as we discussed in the last two sections, it will not be selected.
The main purpose is to disable [DES] [encryption], which is widely considered not secure enough, in any Windows 7/Windows server 2008R2 computers by default. You may notice that the policy setting “Network Security: Configure Encryption types allowed for [Kerberos]” is “Not Defined” in a new system. When this policy setting is not defined, all Crypto systems except DES will be available for encryption. Users can define this policy setting to enable/disable each individual Crypto system, including DES.
!! [Microsoft Management Console] ([MMC])
[MsDS-SupportedEncryptionTypes/MMC-msDS-SupportedEncryptionTypes.png]
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Windows Configurations for Kerberos Supported Encryption Type|https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/|target='_blank'] - based on information obtained 2018-05-16-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop