Why should I consider using AES encryption
While the default RC4-HMAC is the most compatible encryption type, it is no longer considered to offer strong encryption.
For this reason, we recommend that you use AES-128 or AES-256 encryption instead.
Prerequisites for using AES encryption
Prerequisites / Tasks
|Domain functional level must be 2008 or higher.|
Domain functional level prior to 2008 does not support AES encryption.
To find domain functional level, right click on the root of the domain and choose properties.
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files must be in place
Replace local_policy.jar and US_export_policy.jar in
The service must be restarted in order to apply the new policies.
AES must be enabled on the user account that holds the SPN.
Creating a keytab with AES.
- Enable AES 128 or AES 256 on the user account
(Re)Create the keytab with support for AES.
Upload the new keytab file to our plugin.
Recreating keytabs with new versions or different encryption types will make kerberos fail for clients that already has a ticket. Logging out or running "klist purge" on the command line will make clients acquire a new ticket with AES-256
The first command in the picture below issues a keytab for issues.example.com. This keytab has "vno 3" meaning key version number (kvno) 3.
The second command is run after the user object has AES256 enabled. A new version of the keytab is issued (vno 4).