Configuring the encryption type for Kerberos pre-authentication

To connect to an LDAP user account, a client requests a service ticket (TGS ticket) from the Kerberos V5 Key Distribution Center (KDC) and specifies supported encryption algorithms. The KDC selects an encryption algorithm to use. The selected value determines the default encryption type used at the pre-authentication step.

For more information, please refer to the Microsoft documentation: Network security: Configure encryption types allowed for Kerberos, Kerberos protocol registry entries and KDC configuration keys in Windows.

To override the default pre-authentication encryption type using the registry editor:

1. On the Active Directory domain controller, press Win+R, enter regedit in the displayed window, and press Enter.

   This opens the Registry Editor window.

2. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
3. For the Parameters key, create a new DWORD (32-bit) value named DefaultEncryptionType with one of the following values:
   • For the AES encryption algorithm:
     • aes256-cts-hmac-sha1-96: 18 (decimal) or 0x12 (hexadecimal). Recommended encryption type.
     • aes128-cts-hmac-sha1-96: 17 (decimal) or 0x11 (hexadecimal).
   • For RC4 encryption, it is 23 (decimal) or 0x17 (hexadecimal).
4. Repeat steps 1 to 3 on each Active Directory domain controller.

To override the default pre-authentication encryption type using PowerShell:

On each Active Directory domain controller, run the following command:

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters' -Name DefaultEncryptionType –Value 18

Page top