![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER4%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
6,635 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
- Do users need to change their password in order for AES to be used? Yes, users need to change their password for AES encryption to take effect. This is because Kerberos tickets are generated based on a hash of the user's password, and the encryption type used for that hash depends on the available encryption types set on the account. If the account is configured to support AES but the password was set while RC4 was still in use, the Kerberos ticket will continue using the RC4 key until the password is reset. Changing the password forces the creation of a new hash that can then use AES encryption.
- How can the domain be set so all new accounts have AES enabled by default? You can ensure that AES is enabled by default on new accounts by setting the domain's account control flags. Specifically, for all new user accounts, you want the
msDS-SupportedEncryptionTypesattribute to include AES. Here's how you can configure this:- Set Group Policy: In a Group Policy Object (GPO) that applies to your domain or OU, go to:
Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options. Look for Network security: Configure encryption types allowed for Kerberos. Ensure that AES 128-bit and AES 256-bit are selected. - Default for New Accounts: Modify the default user account creation process (via a script or workflow) to explicitly set the
msDS-SupportedEncryptionTypesattribute to enable AES for new user objects. This can be scripted using PowerShell or during the account provisioning process.
- Set Group Policy: In a Group Policy Object (GPO) that applies to your domain or OU, go to:
- Does the AES setting or password need to be changed on the krbtgt account as well? Yes, the
krbtgtaccount's password needs to be changed for AES encryption to take effect. Thekrbtgtaccount is responsible for encrypting and decrypting Kerberos tickets, including ticket-granting tickets (TGTs). If thekrbtgtpassword has not been changed since 2014, it would still be using encryption types based on the old password, potentially RC4. Steps to Rotate the krbtgt Password:- Change the
krbtgtaccount password twice (it is recommended to change it twice to ensure both the old and new keys are updated properly). - Wait for replication to complete.
- Ensure that AES encryption is enabled on the
krbtgtaccount by setting itsmsDS-SupportedEncryptionTypesattribute to include AES types (AES128 and AES256).
krbtgtpassword, new Kerberos tickets will start using AES if the accounts support it. This is crucial because thekrbtgtaccount encrypts the TGTs for all domain accounts. - Change the
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin