adclient.krb5.allow_weak_crypto

This configuration parameter specifies whether to allow weak encryption types for Kerberos authentication.

By default (true), this parameter allows the weak encryption types specified in the parameters adclient.krb5.permitted.encryption.types and adclient.krb5.tkt.encryption.types.

These encryption types include: des-cdc-crc, des-cbc-md4, dec-cbc-md5, dec-cbc-raw, des3-cbc-raw, des-hmac-sha1, arcfour-hmac-exp, rc4-hmac-exp, and arcfour-hmac-md5-exp.

If you disable this parameter, the above encryption types are not supported. Note that setting this parameter to false may cause authentication failures in existing Kerberos environments that do not support strong cryptography. Users in these environments should leave this parameter value set to “true” until their environment adopts stronger cyphers.

By default, this parameter is set to true.

adclient.krb5.allow_weak_crypto: true