Home / server / Questions / 616487
Accepted
Reid Rankin
Asked: 2014-07-30 20:19:41 +0800 CST

Why don't Active Directory user accounts automatically support Kerberos AES authentication?

  • 772

I'm playing around with a test domain on Windows Server 2012 R2. I'm operating at the highest possible functional level and have no backwards-compatibility issues in my small test environment. However, I've realized that despite the fact that I have support for Kerberos AES authentication, it is not enabled by default for any users. I have to actually go into a user's properties and check off "This account supports Kerberos AES 128 bit encryption" and/or "This account supports Kerberos AES 256 bit encryption" to enable it.

(I first realized this when adding a test account to the "Protected Users" group, which sets policy to require AES. Afterwards, all my network logins started failing until I checked those boxes.)

I figure that this might be disabled by default to ensure backwards-compatibility for some systems, but I can't find a way to enable this for all users, or even an explanation of the current behavior.

Any ideas?

active-directory

2 Answers

  1. Best Answer

    Checking the Kerberos AES checkboxes for the users would cause authentication failures on pre-Vista clients. This is probably the reason that it's not set by default.

    The Kerberos AES support checkboxes correspond to the value set in an attribute called msDS-SupportedEncryptionTypes

    To change this for more than one user, you can utilize PowerShell and the ActiveDirectory module:

    # The numerical values for Kerberos AES encryption types to support
$AES128 = 0x8
$AES256 = 0x10

# Fetch all users from an OU with their current support encryption types attribute
$Users = Get-ADUser -Filter * -SearchBase "OU=SecureUsers,OU=Users,DC=domain,DC=tld" -Properties "msDS-SupportedEncryptionTypes"
foreach($User in $Users)
{
    # If none are currently supported, enable AES256
    $encTypes = $User."msDS-SupportedEncryptionType"
    if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
    {
        Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
    }
}
    • 14

  2. Using Active Directory Users and Computers, you can also highlight multiple users, right click, choose Properties, then Account, and select the option to apply to all users selected.

    • 0