AD configuration
10.2.13.5. Active Directory configuration

This section outlines the required settings in Active Directory to run Front-side Kerberos. Ergon recommends using the best encryption type possible (currently AES 256). This guide describes only what must be done in order to configure Front-side Kerberos with AES 256. The table below shows the encryption types available in Kerberos and on which Windows system they are supported.

Encryption Type
Code (dec, hex)
Works with Windows
des-cbc-crc
1, 0x1
Windows 2000 and later, off by default in Windows 7 / Server 2008 R2
des-cbc-md4
2, 0x2
not supported in Windows
des-cbc-md5
3, 0x3
Windows 2000 and later, off by default in Windows 7 / Server 2008 R2
des3-cbc-sha1
5, 0x5
not supported in Windows
des3-cbc-sha1-kd
16, 0x10
not supported in Windows
aes-128-cts-hmac-sha1-96
17, 0x11
Windows Visa / Server 2008 and later
aes-256-cts-hmac-sha1-96
18, 0x12
Windows 7 / Server 2008 R2 and later
rc4-hmac (arcfour-hmac)
23, 0x17
Windows 2000 and later
rc4-hmac-exp
24, 0x18
Windows 2000 and later