caption: Allowed Kerberos encryption types
deprecated: true
default: 1
desc: |-
Setting the policy designates which encryption types are allowed when requesting Kerberos tickets from a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> server.
Setting the policy to:
* All allows the AES encryption types aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96, as well as the RC4 encryption type rc4-hmac. AES takes precedence if the server supports AES and RC4 encryption types.
* Strong or leaving it unset allows only the AES types.
* Legacy allows only the RC4 type. RC4 is insecure. It should only be needed in very specific circumstances. If possible, reconfigure the server to support AES encryption.
Also see https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.
device_only: true
example_value: 1
features:
dynamic_refresh: true
items:
- caption: All (insecure)
name: All
value: 0
- caption: Strong
name: Strong
value: 1
- caption: Legacy (insecure)
name: Legacy
value: 2
owners:
- [email protected]
schema:
enum:
- 0
- 1
- 2
type: integer
supported_on:
- chrome_os:66-114
tags:
- system-security
type: int-enum
generate_device_proto: False