This configuration parameter specifies the types of encryption that can be used in Kerberos client credentials.

The parameter value must be one or more encryption types, separated by a space. For example:

adclient.krb5.permitted.encryption.types: arcfour-hmac-md5 des-cbc-md5

If this parameter is not defined in the configuration file, the default encryption types permitted are:

  • Windows 2000 server and Windows Server 2003: arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc.
  • Windows Server 2008 domain functional level supports these additional types:
    aes128-cts and aes256-cts. Although you can specify these types in an environment other than 2008 domain functional level, they are not useful and may cause extra network round trips during the authentication process.