Strictly Enforce Default Encryption Types

This parameter specifies if DirectControl should add or replace the default encryption types listed in the settings, default_tgs_enctypes and default_tkt_enctypes in krb5.conf with the types specified in the setting adclient.krb5.tkt.encryption.types in centrifydc.conf.

  • When this group policy is not set (default) —No change in behavior. It means DirectControl adds any additional encryption types.

    Default encryption types from centrifydc.conf are added, if they were not already listed. Other items that were already in default_tgs_enctypes and default_tkt_enctypes are left alone and not removed.

  • When this group policy is set—DirectControl replaces the encryption types listed in the settings, default_tgs_enctypes and default_tkt_enctypes in krb5.conf to match exactly with the encryption types listed in the setting, adclient.krb5.tkt.encryption.types in centrifydc.conf.

    Default encryption types from centrifydc.conf are added, if they were not already listed. Other items that were already in default_tgs_enctypes and default_tkt_enctypes, and not in centrifydc.conf, are removed.

This group policy is set as follows: Computer Configuration > Centrify Settings > DirectControl Settings > Kerberos Settings > Control if strictly enforce the encTypes.