Overview#Kerberos Encryption Types (etype) are defined in an IANA Registry at: Kerberos Encryption Type Numbers
These are signed values ranging from -2147483648 to 2147483647.
- Positive values should be assigned only for algorithms specified in accordance with this specification for use with Kerberos or related protocols.
- Negative values are for private use; local and experimental algorithms should use these values.
- Zero is reserved and may not be assigned.
Kerberos Encryption Types Microsoft Windows#Kerberos Encryption Types for Microsoft Windows is decided by the MsDS-SupportedEncryptionTypes values or the defaults if not set.
This implies that when Windows Vista/Windows 7 client will initially attempt to use AES when talking to a Domain Controller during the Kerberos Kerberos Pre-Authentication stage, Windows Server 2003 DC‘s on the other hand don‘t support using AES with Kerberos which is why they log the Windows Event Log and ask the client to try again with one of Kerberos Encryption Types the DC supports (which usually ends up as RC4).
Table shows those that are likely to be encountered.
|Encryption type||Aliases||etype (dec)||etype (hex)||msDS||Description RFC||Windows support||MIT Kerberos support||Notes|
|DES-CBC-CRC||1||0x0001||0x0001||DES cbc mode with CRC-32||RFC 3961 section 6.2.3||Windows Server 2000, disabled by default as of Windows Server 2008R2||All versions||Cryptographically Weak & Deprecated|
|DES-CBC-MD4||2||0x0002||DES cbc mode with RSA-MD4||RFC 3961 section 6.2.2||Not supported||All versions||Cryptographically Weak & Deprecated|
|DES-CBC-MD5||des||3||0x0003||0x0002||DES cbc mode with RSA-MD5||RFC 3961 section 6.2.1||Windows Server 2000+, disabled by default as of Windows Server 2008 R2||All versions||Cryptographically Weak & Deprecated|
|DES-CBC-raw||4||0x0004||DES cbc mode raw||RFC 3961 marked as "reserved"||Not supported||Unknown||Weak & deprecated, not defined in any RFC|
|DES3-CBC-raw||6||0x0006||Triple DES cbc mode raw||RFC 3961 marked as "reserved"||Not supported||Unknown||Cryptographically Weak & Deprecated, not defined in any RFC|
|16||0x0010||Triple DES cbc mode with HMAC/SHA-1||RFC 3961, section 6.3||Not supported||1.1|
|17||0x0011||0x0008||AES-128 CTS mode with 96-bit SHA-1 HMAC||RFC 3962||Windows Server 2008+||1.3|
|18||0x0012||0x0010||AES-256 CTS mode with 96-bit SHA-1 HMAC||RFC 3962+||Windows Server 2008 R2||1.3|
|AES128-cts-hmac-sha256-128||aes128-sha2||19||0x0013||AES-128 CTS mode with 128-bit SHA-256 HMAC||RFC 3962||Not supported||1.15||RFC was only published in October 2016|
|AES256-cts-hmac-sha384-192||aes256-sha2||20||0x0014||AES-256 CTS mode with 192-bit SHA-384 HMAC||RFC 3962||Not supported||1.15||RFC was only published in October 2016|
|23||0x0017||ArcFour with HMAC/MD5||RFC 4757||Windows Server 2000+||1.3|
|RC4-HMAC||RC4-HMAC-MD5-EXP||24||0x0018||Exportable ArcFour (RC4) with HMAC/MD5||RFC 4757||Windows Server 2000+||1.3||Cryptographically Weak & Deprecated|
|camellia128-cts-cmac||camellia128-cts||25||0x0019||Camellia-128 CTS mode with CMAC||RFC 4757||Not supported||1.9|
|camellia256-cts-cmac||camellia256-cts||26||0x001a||Camellia-256 CTS mode with CMAC||RFC 4757||Not supported||1.9|
Some Operating System are not always configured to use Kerberos Encryption Types at the same cipher levels and may not support negotiation or Kerberos Pre-Authentication or they may not support AES ciphers.