Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8218: What encryption type is Centrify DirectControl agent using to communicate with the DC?

Authentication Service ,  

30 March,17 at 01:54 AM

Question:

What type of encryption is Centrify DirectControl agent using to communicate with DC?

Answer:

If you do not specify an encryption type in the command line, the encryption types defined in the centrifydc.conf file are used. The default encryption types supported are:

• Windows 2000 server and Windows Server 2003:

arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc.

• Windows Server 2008 and higher domain functional level supports these additional types:

aes128-cts and aes256-cts.

Although the agent will support these types in an environment lower than 2008 domain functional level since the domain doesn't support it they will not be used and may cause extra network round trips.

Note If you specify an encryption type that is not listed as a permitted encryption type in the centrifydc.conf file, the key table entry will not be created and an error is displayed. You should verify that the encryption types you want to use are listed for the configuration parameter below:

adclient.krb5.permitted.encryption.types

For example: 
adclient.krb5.tkt.encryption.types: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts 
adclient.krb5.permitted.encryption.types: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts 

You can also use the command "klist -kte" which tells you the encryption types in use for all the principles and the kerberos tickets.

For example:
on the server as root run the command below:
klist -kte

 

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? article[TIPS] A Centrify Server Suite Cheat Sheet articleKB-3925: How to add Centrify parameter to a group policy articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?