Home / server / Questions / 1099053
Accepted
stackprotector
Asked: 2022-04-21 08:44:23 +0800 CST

How can I set the 'The other domain supports Kerberos AES Encryption' setting programmatically?

  • 772

In the GUI (Active Directory Domains and Trusts MMC Snap-in (domain.msc)), you can set the "The other domain supports Kerberos AES Encryption" setting for a trust relationship:

The other domain supports Kerberos AES Encryption

I am looking for a way to set this setting programmatically. I already reviewed the Install-ADDSDomain PowerShell cmdlet and also the netdom TRUST tool, but both do not seem to include an option to set the Kerberos AES encryption setting.

Can someone tell me, how I can set this setting programmatically?

windows scripting kerberos windows-server-2019 trust-relationship

1 Answers

  1. Best Answer

    This can be done with ksetup:

    ksetup /setenctypeattr <THE_OTHER_DOMAIN> AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

    See also this documentation. Be aware where you execute this command for which domain. You can only use it to set the encryption types for the other domain. So if you are on a DC of child.contoso.com, you can issue:

    ksetup /setenctypeattr contoso.com AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

    If you are on a DC of contoso.com, you can issue:

    ksetup /setenctypeattr child.contoso.com AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

    Other combinations are not possible and you may face the following problems:

    • 0