Why don’t Active Directory user accounts automatically support Kerberos AES authentication

active-directoryencryptionkerberoswindows-server-2012-r2

I'm playing around with a test domain on Windows Server 2012 R2. I'm operating at the highest possible functional level and have no backwards-compatibility issues in my small test environment. However, I've realized that despite the fact that I have support for Kerberos AES authentication, it is not enabled by default for any users. I have to actually go into a user's properties and check off "This account supports Kerberos AES 128 bit encryption" and/or "This account supports Kerberos AES 256 bit encryption" to enable it.

(I first realized this when adding a test account to the "Protected Users" group, which sets policy to require AES. Afterwards, all my network logins started failing until I checked those boxes.)

I figure that this might be disabled by default to ensure backwards-compatibility for some systems, but I can't find a way to enable this for all users, or even an explanation of the current behavior.

Any ideas?

Best Answer

Checking the Kerberos AES checkboxes for the users would cause authentication failures on pre-Vista clients. This is probably the reason that it's not set by default.

The Kerberos AES support checkboxes correspond to the value set in an attribute called msDS-SupportedEncryptionTypes

To change this for more than one user, you can utilize PowerShell and the ActiveDirectory module:

# The numerical values for Kerberos AES encryption types to support
$AES128 = 0x8
$AES256 = 0x10

# Fetch all users from an OU with their current support encryption types attribute
$Users = Get-ADUser -Filter * -SearchBase "OU=SecureUsers,OU=Users,DC=domain,DC=tld" -Properties "msDS-SupportedEncryptionTypes"
foreach($User in $Users)
{
    # If none are currently supported, enable AES256
    $encTypes = $User."msDS-SupportedEncryptionType"
    if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
    {
        Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
    }
}
Related Topic