Specify whether weak encryption types are allowed or not for kerberos authentication.
If enabled, the policy filters out weak encryptions types from adclient.krb5.tkt.encryption.types and adclient.krb5.permitted.encryption.types. And the weak encryption types which include des-cdc-crc, des-cbc-md4, dec-cbc-md5, dec-cbc-raw, des3-cbc-raw, des-hmac-sha1, arcfour-hmac-exp, rc4-hmac-exp, or arcfour-hmac-md5-exp will be supported.
If disabled, no weak encryption types will be allowed by adclient.
Note that setting this to false may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers.
The default value is true when it is not configured.
This group policy modifies the adclient.krb5.allow_weak_crypto setting in the Centrify DirectControl configuration file.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Centrify\CentrifyDC\Settings\Kerberos |
Value Name | adclient.krb5.allow_weak_crypto |
Value Type | REG_SZ |
Enabled Value | true |
Disabled Value | false |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Centrify\CentrifyDC\Settings\Kerberos |
Value Name | {number} |
Value Type | REG_DWORD |
Default Value |