Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-8218: What encryption type is Centrify DirectControl agent using to communicate with the DC?

Authentication Service ,  

30 March,17 at 01:54 AM


What type of encryption is Centrify DirectControl agent using to communicate with DC?


If you do not specify an encryption type in the command line, the encryption types defined in the centrifydc.conf file are used. The default encryption types supported are:

• Windows 2000 server and Windows Server 2003:

arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc.

• Windows Server 2008 and higher domain functional level supports these additional types:

aes128-cts and aes256-cts.

Although the agent will support these types in an environment lower than 2008 domain functional level since the domain doesn't support it they will not be used and may cause extra network round trips.

Note If you specify an encryption type that is not listed as a permitted encryption type in the centrifydc.conf file, the key table entry will not be created and an error is displayed. You should verify that the encryption types you want to use are listed for the configuration parameter below:


For example: 
adclient.krb5.tkt.encryption.types: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts 
adclient.krb5.permitted.encryption.types: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts 

You can also use the command "klist -kte" which tells you the encryption types in use for all the principles and the kerberos tickets.

For example:
on the server as root run the command below:
klist -kte