This configuration parameter specifies whether to allow weak encryption types for Kerberos authentication. When this parameter is set to false, then weak encryption types (as noted in the Encryption types section of the kdc.conf file) are filtered out of the following lists:

  • default_tgs_enctypes

  • default_tkt_enctypes

  • permitted_enctypes.

The default value for this parameter is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this parameter to true until their infrastructure adopts stronger ciphers.

By default, this parameter is set to false.

adclient.krb5.allow_weak_crypto: false