Partilhar via


2.2.7 Supported Encryption Types Bit Flags

The data in the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.481), and in fields that specify which encryption types are supported, contains a 32-bit unsigned integer in little-endian format that contains a combination of the following flags, and which specifies what encryption types are supported by the server or service. An encryption type is supported if its value is equal to 1.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

0

0

0

0

0

0

0

0

0

0

0

0

I

H

G

F

0

0

0

0

0

0

0

0

0

0

J

E

D

C

B

A

Where the bits are defined as:

Value

Description

A

DES-CBC-CRC

B

DES-CBC-MD5

C

RC4-HMAC

D

AES128-CTS-HMAC-SHA1-96

E

AES256-CTS-HMAC-SHA1-96

F

FAST-supported<9>

G

Compound-identity-supported<10>

H

Claims-supported<11>

I

Resource-SID-compression-disabled<12>

J

AES256-CTS-HMAC-SHA1-96-SK

AES256-CTS-HMAC-SHA1-96-SK: Enforce AES session keys when legacy ciphers are in use. When the bit is set, this indicates to the KDC that all cases where RC4 session keys can be used will be superseded with AES keys.

Note: The encryption types AES128-CTC-HMAC-SHA1-96/AES256-CTC-HMAC-SHA1-96 or including AES256-CTS-HMAC-SHA1-96-SK if RC4 encryption types is selected is recommended. Setting RC4/DES only is weak and not recommended.

All other bits MUST be set to zero when sent and MUST be ignored when they are received.

For more details see section 3.1.5.2 Encryption Types, and sections thereafter.