2.2.7 Supported Encryption Types Bit Flags

The data in the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.465), and in fields that specify which encryption types are supported, contains a 32-bit unsigned integer in little-endian format that contains a combination of the following flags, and which specifies what encryption types are supported by the server or service. An encryption type is supported if its value is equal to 1.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

0

0

0

0

0

0

0

0

0

0

0

0

I

H

G

F

0

0

0

0

0

0

0

0

0

0

J

E

D

C

B

A

Where the bits are defined as:

Value

Description

A

DES-CBC-CRC

B

DES-CBC-MD5

C

RC4-HMAC

D

AES128-CTS-HMAC-SHA1-96

E

AES256-CTS-HMAC-SHA1-96

F

FAST-supported<9>

G

Compound-identity-supported<10>

H

Claims-supported<11>

I

Resource-SID-compression-disabled<12>

J

AES256-CTS-HMAC-SHA1-96-SK

AES256-CTS-HMAC-SHA1-96-SK: Enforce AES session keys when legacy ciphers are in use. When the bit is set, this indicates to the KDC that all cases where RC4 session keys can be used will be superseded with AES keys.

All other bits MUST be set to zero when sent and MUST be ignored when they are received.

For more details see section 3.1.5.2 Encryption Types, and sections thereafter.