Figuring out which Kerberos encryption type (etype) will be used is a common source of confusion. However, we can simplify this process by breaking it down into a checklist:
- What kind of ticket are you requesting?
- Ticket Granting Ticket (TGT)
- FYI: No more getting TGTs with RC4 session keys
- Service Ticket (ST)
- Subsession Key (SSK)
- Ticket Granting Ticket (TGT)
- Who are the relevant parties?
- For a TGT: Client & Key Distribution Center (KDC)
- For an ST: Client, KDC & Service
- For an SSK: Client & Service
- What is the default supported encryption for the domain?
- This is only relevant if the msDs-SupportedEncryptionType isn't set in Active Directory.
- If you're using Windows Server 2025 or newer:
0x24 (RC4 | AES_SK) - If you're using Windows Server 2022 or older:
0x27 (DES | RC4 | AES_SK)
- Are we talking about the ticket encryption type?
- If yes, then we only need to have the strongest etype that the target supports (that the KDC also supports)
- Are we talking about session key encryption types?
- If yes, then we need the strongest etype that the source and target and KDC support
By answering these questions, you can easily determine the correct etypes with a calculator!
You can see this in action here: etype-calc
last updated:
Copyright © 2023 wanl.blue
