Why don't Active Directory user accounts automatically support Kerberos AES authentication?

Question

I'm playing around with a test domain on Windows Server 2012 R2. I'm operating at the highest possible functional level and have no backwards-compatibility issues in my small test environment. However, I've realized that despite the fact that I have support for Kerberos AES authentication, it is not enabled by default for any users. I have to actually go into a user's properties and check off "This account supports Kerberos AES 128 bit encryption" and/or "This account supports Kerberos AES 256 bit encryption" to enable it.

(I first realized this when adding a test account to the "Protected Users" group, which sets policy to require AES. Afterwards, all my network logins started failing until I checked those boxes.)

I figure that this might be disabled by default to ensure backwards-compatibility for some systems, but I can't find a way to enable this for all users, or even an explanation of the current behavior.

Any ideas?

Mathias R. Jessen · Accepted Answer · 2015-06-23T15:23:42.833

15

Checking the Kerberos AES checkboxes for the users would cause authentication failures on pre-Vista clients. This is probably the reason that it's not set by default.

The Kerberos AES support checkboxes correspond to the value set in an attribute called msDS-SupportedEncryptionTypes

To change this for more than one user, you can utilize PowerShell and the ActiveDirectory module:

# The numerical values for Kerberos AES encryption types to support
$AES128 = 0x8
$AES256 = 0x10

# Fetch all users from an OU with their current support encryption types attribute
$Users = Get-ADUser -Filter * -SearchBase "OU=SecureUsers,OU=Users,DC=domain,DC=tld" -Properties "msDS-SupportedEncryptionTypes"
foreach($User in $Users)
{
    # If none are currently supported, enable AES256
    $encTypes = $User."msDS-SupportedEncryptionType"
    if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
    {
        Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
    }
}

edited Jun 23 '15 at 15:23

answered Jul 31 '14 at 22:03

Mathias R. Jessen

24,907
4
62
95

Is there any way to set this by default on new users? – Reid Rankin Aug 02 '14 at 08:23
2

You can likely make this the default for new users by modifying the AD schema. You should probably ask it as a separate question if you want a more detailed answer though. – Ryan Bolger Jun 23 '15 at 17:14
2

As pre-Vista clients have been out of support for many years now, it would be nice if Microsoft finally enabled the AES encryption types by default for all users that lack an msDS-SupportedEncryptionType attribute. – Markus Kuhn Oct 20 '19 at 16:12

score 0 · Answer 2 · edited Sep 16 '21 at 06:57

0

Using Active Directory Users and Computers, you can also highlight multiple users, right click, choose Properties, then Account, and select the option to apply to all users selected.

edited Sep 16 '21 at 06:57

TristanK

8,953
2
27
39

answered Sep 15 '21 at 14:12

Andrew Shobe

1

Why don't Active Directory user accounts automatically support Kerberos AES authentication?

2 Answers2