The KDC uses MsDS-SupportedEncryptionTypes information while generating a Service Ticket for this account. Services and Computers can automatically update this attribute on their respective accounts in Microsoft Active Directory, and therefore need write access Permission to this attribute.
MsDS-SupportedEncryptionTypes Values#MsDS-SupportedEncryptionTypes values are defined in Kerberos Encryption Types (like Cipher Suites) When editing the MsDS-SupportedEncryptionTypes attribute, you have to combine the appropriate bits to get an integer value for the attribute
Decoding MsDS-SupportedEncryptionTypes Bitmask:
- 0x01 - DES-CBC-CRC
- 0x02 - DES-CBC-MD5
- 0x04 - RC4-HMAC
- 0x08 - AES128-CTS-HMAC-SHA1-96 Hash Function with mac truncated to 96 bits
- 0x10 - AES256-CTS-HMAC-SHA1-96 Hash Function with mac truncated to 96 bits
LDAP Microsoft Active Directory Attribute Definition#The MsDS-SupportedEncryptionTypes AttributeTypes is defined as:
- OID of 1.2.840.1135126.96.36.1993
- NAME: MsDS-SupportedEncryptionTypes
- OBSOLETE flag (only if present)
- (only if present)
- SYNTAX: 188.8.131.52
- USAGE: UserApplications
- Extended Flags:
- Used as MUST in:
- Used MAY in:
Allowed Kerberos Encryption Types Local Group Policy Object Setting#
In Windows 7/Windows Server 2008 R2, a new Group Policy Object setting is introduced for specifying the encryption types allowed for Kerberos. This is a system wide global setting that will affect all the accounts on the computer where the policy is applied. With this setting, we can enable and disable the encryption/decryption capability of each Crypto system (AES256, AES128, RC4, DES etc). In this way, even an individual encryption type is included in the supported encryption type list as we discussed in the last two sections, it will not be selected.
The main purpose is to disable DES encryption, which is widely considered not secure enough, in any Windows 7/Windows server 2008R2 computers by default. You may notice that the policy setting “Network Security: Configure Encryption types allowed for Kerberos” is “Not Defined” in a new system. When this policy setting is not defined, all Crypto systems except DES will be available for encryption. Users can define this policy setting to enable/disable each individual Crypto system, including DES.
More Information#There might be more information for this subject on one of the following:
- [#1] - Windows Configurations for Kerberos Supported Encryption Type - based on information obtained 2018-05-16-