adclient.krb5.permitted.encryption.types.strict

The adclient.krb5.permitted.encryption.types.strict parameter controls whether to add to or replace the encryption types specified in the setting, permitted_enctypes, in krb5.conf with the encryption types specified in the setting, adclient.krb5.permitted.encryption.types, in centrifydc.conf.

  • When adclient.krb5.permitted.encryption.types.strict is false (default), then:

    The encryption types listed in adclient.krb5.permitted.encryption.types in centrifydc.conf,are added to the list of encryption types in permitted_enctypes in krb5.conf.

    This only ensures that what is specified in centrifydc.conf is present in krb5.conf. It does not remove unknown items.

  • When adclient.krb5.permitted.encryption.types.strict is set to true, then:

    The encryption types listed in adclient.krb5.permitted.encryption.types in centrifydc.conf replace the encryption types specified in the setting, permitted_enctypes, in krb5.conf.

    The permitted encryption types in krb5.conf exactly match the permitted encryption types in centrifydc.conf. Extra or unknown encryption types are removed.

Example:

adclient.krb5.permitted.encryption.types.strict: false
  • false — Default is false. No change in behavior. permitted_enctypes are updated from the centrifydc.conf file.

    Items from centrifydc.conf are added, if they were not already listed. Other items that were already in permitted_enctypes are left alone and not removed.

  • true — replace the targeted krb5.conf parameters so they match exactly what is specified in centrifydc.conf.

    Items from centrifydc.conf are added, if they were not already listed. Other items that were already in permitted_enctypes, and not in centrifydc.conf, are removed.

To apply changes to this parameter, either restart adclient or ensure the group policy is set as follows: Computer Configuration > Centrify Settings > DirectControl Settings > Kerberos Settings > Control if strictly enforce the permitted_encTypes.