query Kerberos encryption modes supported by AD through LDAP
according to this other msdn blog all computer accounts have this attribute, but legacy systems (pre Vista/2008) do not populate it. A quick glance at computer objects in an AD shows me those attributes, and it is really quite simple to do it in powershell with the active-directory module (so start powershell and load the module with 'import-module activedirectory):
get-adcomputer -properties msDS-SupportedEncryptionTypes -filter *
That's it, you get a list of objects with attribute. In my case I got "28" ( which apparently corresponds to "RC4","AES128","AES256" )
Related videos on Youtube
phg
Updated on September 18, 2022Comments
-
phg almost 2 years
In short: I need a way to retrieve the encryption modes permitted in the network security policy of a Microsoft DC.
The encryption mode is essential to creating the right set of keys for service principals in the local keytab of a host.
User accounts have the attribute
msDS-SupportedEncryptionTypes
that gives the modes as a bitset. This can be configured by a Windows admin through some input form. “Computer accounts” however lack this attribute unless one manually sets the attribute in LDAP. And there is no similar input form.Now, according to the official docs that setting is inherited for each “Computer account” from the local policy. I guess what I need is to look up this policy through LDAP. But how?
-
phg over 6 years“according to this other msdn blog all computer accounts have this attribute” – They don’t on the Win2008 Server I have for testing. The attribute can be added manually, but it’s not there with a freshly created account. User accounts have checkboxes in the admin form to click KRB5 enctypes, computer accounts however lack them.
-
phg over 6 years“start powershell and load the module” – The point of using LDAP to interface with the server is to avoid Windows as much as possible so Powershell isn’t even remotely an option.
-
natxo asenjo over 6 yearsThey do, but it's empty, as stated in my answer. And powershell uses ldap in this case. I honestly do not understand your comments.