chromium/components/policy/resources/templates/policy_definitions/ActiveDirectoryManagement/DeviceKerberosEncryptionTypes.yaml

caption: Allowed Kerberos encryption types
deprecated: true
default: 1
desc: |-
  Setting the policy designates which encryption types are allowed when requesting Kerberos tickets from a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> server.

  Setting the policy to:

  * All allows the AES encryption types aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96, as well as the RC4 encryption type rc4-hmac. AES takes precedence if the server supports AES and RC4 encryption types.

  * Strong or leaving it unset allows only the AES types.

  * Legacy allows only the RC4 type. RC4 is insecure. It should only be needed in very specific circumstances. If possible, reconfigure the server to support AES encryption.

  Also see https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.
device_only: true
example_value: 1
features:
  dynamic_refresh: true
items:
- caption: All (insecure)
  name: All
  value: 0
- caption: Strong
  name: Strong
  value: 1
- caption: Legacy (insecure)
  name: Legacy
  value: 2
owners:
- [email protected]
schema:
  enum:
  - 0
  - 1
  - 2
  type: integer
supported_on:
- chrome_os:66-114
tags:
- system-security
type: int-enum
generate_device_proto: False