Active Directory configuration

This section outlines the required settings in Active Directory to run Front-side Kerberos. Ergon recommends using the best encryption type possible (currently AES 256). This guide describes only what must be done in order to configure Front-side Kerberos with AES 256. The table below shows the encryption types available in Kerberos and on which Windows system they are supported.

Encryption Type

Code (dec, hex)

Works with Windows

des-cbc-crc

1, 0x1

Windows 2000 and later, off by default in Windows 7 / Server 2008 R2

des-cbc-md4

2, 0x2

not supported in Windows

des-cbc-md5

3, 0x3

Windows 2000 and later, off by default in Windows 7 / Server 2008 R2

des3-cbc-sha1

5, 0x5

not supported in Windows

des3-cbc-sha1-kd

16, 0x10

not supported in Windows

aes-128-cts-hmac-sha1-96

17, 0x11

Windows Visa / Server 2008 and later

aes-256-cts-hmac-sha1-96

18, 0x12

Windows 7 / Server 2008 R2 and later

rc4-hmac (arcfour-hmac)

23, 0x17

Windows 2000 and later

rc4-hmac-exp

24, 0x18

Windows 2000 and later