Allowed Kerberos encryption types

Sets encryption types that are allowed when requesting Kerberos tickets from an Microsoft® Active Directory® server.

If the policy is set to 'All', both the AES encryption types 'aes256-cts-hmac-sha1-96' and 'aes128-cts-hmac-sha1-96' as well as the RC4 encryption type 'rc4-hmac' are allowed. AES encryption takes preference if the server supports both types. Note that RC4 is insecure and the server should be reconfigured if possible to support AES encryption.

If the policy is set to 'Strong' or if it is unset, only the AES encryption types are allowed.

If the policy is set to 'Legacy', only the RC4 encryption type is allowed. This option is insecure and should only be needed in very specific circumstances.

See also https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

Allowed Kerberos encryption types


  1. All (insecure)
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Google\ChromeOS
    Value NameDeviceKerberosEncryptionTypes
    Value TypeREG_DWORD
    Value0
  2. Strong
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Google\ChromeOS
    Value NameDeviceKerberosEncryptionTypes
    Value TypeREG_DWORD
    Value1
  3. Legacy (insecure)
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Google\ChromeOS
    Value NameDeviceKerberosEncryptionTypes
    Value TypeREG_DWORD
    Value2


chromeos.admx

Administrative Templates (Computers)

Administrative Templates (Users)