query Kerberos encryption modes supported by AD through LDAP

active-directory ldap kerberos
6,625

according to this other msdn blog all computer accounts have this attribute, but legacy systems (pre Vista/2008) do not populate it. A quick glance at computer objects in an AD shows me those attributes, and it is really quite simple to do it in powershell with the active-directory module (so start powershell and load the module with 'import-module activedirectory):

get-adcomputer -properties msDS-SupportedEncryptionTypes -filter *

That's it, you get a list of objects with attribute. In my case I got "28" ( which apparently corresponds to "RC4","AES128","AES256" )

Share:
6,625

Related videos on Youtube

phg
Author by

phg

Updated on September 18, 2022

Comments

  • phg
    phg almost 2 years

    In short: I need a way to retrieve the encryption modes permitted in the network security policy of a Microsoft DC.

    The encryption mode is essential to creating the right set of keys for service principals in the local keytab of a host.

    User accounts have the attribute msDS-SupportedEncryptionTypes that gives the modes as a bitset. This can be configured by a Windows admin through some input form. “Computer accounts” however lack this attribute unless one manually sets the attribute in LDAP. And there is no similar input form.

    Now, according to the official docs that setting is inherited for each “Computer account” from the local policy. I guess what I need is to look up this policy through LDAP. But how?

  • phg
    phg over 6 years
    “according to this other msdn blog all computer accounts have this attribute” – They don’t on the Win2008 Server I have for testing. The attribute can be added manually, but it’s not there with a freshly created account. User accounts have checkboxes in the admin form to click KRB5 enctypes, computer accounts however lack them.
  • phg
    phg over 6 years
    “start powershell and load the module” – The point of using LDAP to interface with the server is to avoid Windows as much as possible so Powershell isn’t even remotely an option.
  • natxo asenjo
    natxo asenjo over 6 years
    They do, but it's empty, as stated in my answer. And powershell uses ldap in this case. I honestly do not understand your comments.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I clear a user's cached Active Directory password on CentOS 7?
How to determine the Kerberos realm from an LDAP directory?
Linux AD integration, unable to login when using Windows Server 2012 DC
SSSD Kerberos Authentication vs AD
Troubles with sssd and Active Directory Integration
Seamless SSO with Kerberos, IE, Firefox, LDAP Active Directory
Lookup Active Directory entry by implicit UPN
Kerberos - Active Directory Domain Failure (Ubuntu)
Joining Linux host to Active Directory fails to update Microsoft DNS
How to connect with Java into Active Directory