Allow weak encryption types for Kerberos authentication

Specify whether weak encryption types are allowed or not for kerberos authentication.

If enabled, the policy filters out weak encryptions types from adclient.krb5.tkt.encryption.types and adclient.krb5.permitted.encryption.types. And the weak encryption types which include des-cdc-crc, des-cbc-md4, dec-cbc-md5, dec-cbc-raw, des3-cbc-raw, des-hmac-sha1, arcfour-hmac-exp, rc4-hmac-exp, or arcfour-hmac-md5-exp will be supported.

If disabled, no weak encryption types will be allowed by adclient.

Note that setting this to false may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers.

The default value is true when it is not configured.

This group policy modifies the adclient.krb5.allow_weak_crypto setting in the Centrify DirectControl configuration file.

Supported on:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Kerberos
Value Nameadclient.krb5.allow_weak_crypto
Value TypeREG_SZ
Enabled Valuetrue
Disabled Valuefalse

Skip items whose full path matches

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Kerberos
Value Name{number}
Value TypeREG_DWORD
Default Value

centrifydc_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)