<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1]
[{$pagename}] is the [encryption] [algorithms] supported by user, computer or trust accounts.


The [KDC] uses [{$pagename}] information while generating a [Service Ticket] for this account. Services and Computers can automatically update this attribute on their respective accounts in [Microsoft Active Directory], and therefore need write [access] [Permission] to this attribute.
 
!! [{$pagename}] Values
[{$pagename}] values are defined in [Kerberos Encryption Types] (like [Cipher Suites])
When editing the [{$pagename}] attribute, you have to combine the appropriate [bits] to get an [integer] value for the attribute

Additionally the [UserAccountControl] attribute, you [SHOULD] also remove the [Windows registry] [USE_DES_KEY_ONLY] (0x200000) bit to disable forcing the use of [DES] key.


Decoding [{$pagename}] [Bitmask]: 
* 0x01 - [DES]-[CBC]-[CRC]
* 0x02 - [DES]-[CBC]-[MD5]
* 0x04 - [RC4]-[HMAC]
* 0x08 - [AES128|AES-128]-CTS-[HMAC]-[SHA1]-96 [Hash Function] with mac truncated to 96 [bits]
* 0x10 - [AES256|AES-256]-CTS-[HMAC]-[SHA1]-96 [Hash Function] with mac truncated to 96 [bits]

!! [LDAP] [Microsoft Active Directory] [Attribute] Definition
The [{$pagename}] [AttributeTypes] is defined as:
* [OID] of [1.2.840.113556.1.4.1963] 
* [NAME|Attribute-Name]: [{$pagename}]
* [DESC]: 
* [OBSOLETE flag] (only if present)
* [Supertype]: 
** (only if present)
* [EQUALITY]: []
* [ORDERING]: []
* [SYNTAX]: [2.5.5.9]
* [SINGLE-VALUE] 
* [USAGE]: [UserApplications] 
* [Extended Flags]:
** [X-SYSTEMFLAGS]: [FLAG_SCHEMA_BASE_OBJECT]
** [X-SCHEMAFLAGSEx]: [FLAG_ATTR_IS_CRITICAL]
** [X-ORIGIN]: [MSDN]
* Used as [MUST] in:
** 
* Used [MAY] in:
**



!! Allowed [Kerberos Encryption Types] Local [Group Policy Object] Setting

In [Windows 7]/[Windows Server 2008 R2], a new [Group Policy Object] setting is introduced for specifying the [encryption] types allowed for [Kerberos].   This is a system wide global setting that will affect all the accounts on the computer where the policy is applied.   With this setting, we can enable and disable the encryption/decryption capability of each Crypto system (AES256, AES128, RC4, DES etc).   In this way, even an individual [encryption] type is included in the supported encryption type list as we discussed in the last two sections, it will not be selected.

The main purpose is to disable [DES] [encryption], which is widely considered not secure enough, in any Windows 7/Windows server 2008R2 computers by default. You may notice that the policy setting “Network Security: Configure Encryption types allowed for [Kerberos]” is “Not Defined” in a new system.   When this policy setting is not defined, all Crypto systems except DES will be available for encryption.  Users can define this policy setting to enable/disable each individual Crypto system, including DES.     

!! [Microsoft Management Console] ([MMC])
[MsDS-SupportedEncryptionTypes/MMC-msDS-SupportedEncryptionTypes.png]


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Windows Configurations for Kerberos Supported Encryption Type|https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/|target='_blank'] - based on information obtained 2018-05-16- 
































































































</pre>