This configuration parameter specifies the types of encryption that can be presented to the server in the TGT when the computer is requesting service tickets.

The parameter value must be one or more encryption types, separated by a space. For example:

adclient.krb5.tkt.encryption.types: arcfour-hmac-md5 des-cbc-md5

If this parameter is not defined in the configuration file, the default encryption types permitted are:

  • Windows 2000 server and Windows Server 2003: arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc.
  • Windows Server 2008 domain functional level supports these additional types:
    aes128-cts and aes256-cts.
    Although you can specify these types in an environment other than 2008 domain functional level, they are not useful and may cause extra network round trips during the authentication process.