Share via

Settings/Values for DefaultDomainSupportedEncTypes etc.

Masuch, Michael 36 Reputation points
2022-11-27T16:44:17.653+00:00

I am trying to set our domain to AES128, AES256 (and future…) encryptions for Kerberos only.

Mostly the recommended values for DefaultDomainSupportedEncTypes, SupportedEncryptionTypes, msDS-SupportedEncryptionTypes are 0x18.

If I follow https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919 and would like to enable FAST etc. then I would compute 0x0f0018.

Looking at other sources and looking up the value that the GPO "Network security: Configure encryption types allowed for Kerberos" sets, I encounter 0x7ffffff8 .

Which values would you recommend, for which setting (DefaultDomainSupportedEncTypes, SupportedEncryptionTypes, msDS-SupportedEncryptionTypes)?

Best regards,
Michael

Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Masuch, Michael 36 Reputation points
    2022-11-27T22:35:21.463+00:00

    Dear @risolis ,

    Thanks again for your quick answer.

    Yes, I am aware of theese articles. That's where my questions arose from.
    Here they state, that the value of DefaultDomainSupportedEncTypes is set to 0x27. But following the very below linked page, it could have been also 0x000f 0027. And if I enable the GPO "encryption types allowed for Kerberos" to (DES-CBC-CRC + DES-CBC-MD5 + RC4-HMAC + future) than the registry value of SupportedEncryptionTypes would be 0x7fff ffe7.

    1 person found this answer helpful.
  2. Masuch, Michael 36 Reputation points
    2022-12-02T16:20:55.653+00:00

    Hi @risolis ,

    there is not stated what I am looking for.

    Maybe someone from Mircosoft developing this systems can have a lock?

    Best,
    Michael

    1 person found this answer helpful.
    0 comments
  3. risolis 8,741 Reputation points
    2022-11-27T19:06:32.727+00:00

    Hello @Masuch, Michael

    Thank you for sharing this question on this community space.

    After reading your case scenario description, I am wondering if you have reviewed the following info...

    https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

    https://dirteam.com/sander/2022/11/08/spend-some-time-on-properly-configuring-and-monitoring-your-domain-controllers-this-patch-tuesday/

    https://borncity.com/win/2022/11/10/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues/

    I hope you can find this useful to overcome your concern.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  4. risolis 8,741 Reputation points
    2022-11-28T00:22:54.733+00:00

    Hi @Masuch, Michael

    I was taking a look at this concern from IANA documentation, and I was able to find the same cipher suites stated by you, but it seems to be deprecated as mentioned down below:

    DES-CBC-CRC/DES-CBC-MD5/RC4-HMAC

    https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  5. risolis 8,741 Reputation points
    2022-11-29T04:40:16.913+00:00
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.