Kerberos - Encryption type


encryption in Kerberos

Encryption is used for both the ticket-granting-ticket and session tickets.

There are three components:

Each one may support a different set of encryption types, and the protocol needs to negotiate a mutually-supported enctype for things to work.


  • CRC (DES_CBC_CRC): Supports CRC32 as described in [RFC3961] page 31.
  • MD5 (DES_CBC_MD5): Supports RSA-MD5 as described in [RFC3961] page 31.
  • RC4 (RC4_HMAC_MD5): Supports RC4-HMAC-MD5 as described in [RFC4757].
  • A128 (AES128_CTS_HMAC_SHA1_96): Supports HMAC-SHA1-96-AES128 as described in [RFC3961] page 31.
  • A256 (AES256_CTS_HMAC_SHA1_96): Supports HMAC-SHA1-96-AES256 as described in [RFC3961] page 31.


KDC has no support for encryption type

  • When the client talks to the KDC it tells the KDC what it supports, and the KDC can accommodate that.
  • When the client asks for a ticket for the server, neither of them directly knows what enctypes the server supports, and the KDC can potentially issue a service ticket with an enctype the server doesn't understand. (“no support for encryption type”)

The way you avoid this problem is by limiting the encryption types stored in the KDCs DB for the server to what the server actually understands. The KDC can't issue tickets with encryption types it doesn't have on record. Everything is guaranteed to work.

Documentation / Reference

Discover More
Kerberos Ticketing Process
Kerberos - Ticketing Process

Kerberos ticketing process between: the the the Under Kerberos, a client sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT)...

Share this page:
Follow us:
Task Runner