This section outlines the required settings in Active Directory to run Front-side Kerberos. Ergon recommends using the best encryption type possible (currently AES 256). This guide describes only what must be done in order to configure Front-side Kerberos with AES 256. The table below shows the encryption types available in Kerberos and on which Windows system they are supported.
Encryption Type | Code (dec, hex) | Works with Windows |
---|---|---|
des-cbc-crc | 1, 0x1 | Windows 2000 and later, off by default in Windows 7 / Server 2008 R2 |
des-cbc-md4 | 2, 0x2 | not supported in Windows |
des-cbc-md5 | 3, 0x3 | Windows 2000 and later, off by default in Windows 7 / Server 2008 R2 |
des3-cbc-sha1 | 5, 0x5 | not supported in Windows |
des3-cbc-sha1-kd | 16, 0x10 | not supported in Windows |
aes-128-cts-hmac-sha1-96 | 17, 0x11 | Windows Visa / Server 2008 and later |
aes-256-cts-hmac-sha1-96 | 18, 0x12 | Windows 7 / Server 2008 R2 and later |
rc4-hmac (arcfour-hmac) | 23, 0x17 | Windows 2000 and later |
rc4-hmac-exp | 24, 0x18 | Windows 2000 and later |