What are the consequences of changing msDSEncryption and is it related to the krbtgt password?

Question

What are the consequences of changing msDSEncryption and is it related to the krbtgt password?

Sage Mirror 160

Hi,

I am having a lot of trouble understanding the relations between the attribute ms-DS-Supported-Encryption-Types on my servers and the krbtgt account password.

Below are some extracts of documentation that I read, but that I feel like I didn't really understand, can you please answer my questions?

There is a case to check for "This account supports Kerberos AES 128 bit encryption", another one "This account supports Kerberos AES 256 bit encryption" (source: 1).

-> I could see that those cases to check are only in the users accounts, not on the computer accounts; should I just check the case AES 256 (if I only want to use AES 256) for the krbtgt account? Or is it something to check for every user account?

"If you enable AES on the KRBTGT account and find your TGTs are still issued with RC4 encryption you may need to manually reset the password of the KRBTGT account." (source: 1)

-> Does that mean that if a very old krbtgt password is used, setting ms-DS-Supported-Encryption-Types to value 16/0x10/AES 256 just won't work?

"This update (Windows Update) will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already." (source: 2)

-> How can I check if an account (user? computer?) is not marked with a default encryption type already? On the configurations, a lot of servers have value 31 set as ms-DS-Supported-Encryption-Types, will that be considered as default, and so I wouldn't need to do any modification to ms-DS-Supported-Encryption-Types thanks to the update?

Sorry for the very specific questions, but thank you a lot for your help!

Sources links:

What are the consequences of changing msDSEncryption and is it related to the krbtgt password?

Activity