Blog Post

Core Infrastructure and Security Blog
11 MIN READ

Decrypting the Selection of Supported Kerberos Encryption Types

JerryDevore's avatar
JerryDevore
Icon for Microsoft rankMicrosoft
Sep 02, 2020
  In recent months Microsoft support has received a lot of questions regarding disabling RC4 for the encryption of Kerberos tickets.  If I had to guess the CIS L1 Baseline and RFC 8429 guidance to ...
image001.png
Updated Jan 15, 2025
Version 17.0
ADHardening
JerryDevore
TMChannel's avatar
TMChannel
Copper Contributor
May 02, 2025

If anyone wants a shorter "decoder ring" in a powershell script, I use this enum to simplify things. I didn't use the "official" names for the encryption types, but obviously they can be adjusted to suit your purposes.

[Flags()] enum crypt
{
  DES_CBC_CRC = 1 
  DES_CBC_MD5 = 2
  RC4 = 4
  AES_128 = 8
  AES_256 = 16
  FAST = 32
  COMPOUND = 64
  CLAIMS = 128
  SID_COMPRESS_DISABLE = 256
  AES_256_SK = 512
}
$myDC = get-adcomputer MYDC -properties 'msDS-supportedEncryptionTypes'
# decimal value in attribute
$myDC.'msDS-supportedEncryptionTypes'
28

# look up the value
[crypt] $myDC.'msDS-supportedEncryptionTypes'
RC4, AES_128, AES_256
# you probably want a string if outputting/exporting later
([crypt] $myDC.'msDS-supportedEncryptionTypes').tostring()

You can use the same enum to help construct AD queries to find any objects with specific encryption combinations you are interested in. This example will build an AD query to target objects that include either of the DES encryption values, but do not have either AES enabled.

# Use the enum to look up and combine the values we want
# Accounts that have either DES enabled
$cryptval = [crypt]::DES_CBC_CRC + [crypt]::DES_CBC_MD5
# accounts with either of the AES cryptos
$missingval = [crypt]::AES_128 + [crypt]::AES_256
<# you can look at the decimal values with GetHashCode()
$cryptval.GetHashCode()     # 3
$missingval.GetHashCode()  # 24 
#>

# Query values need to be converted to hex for the AD search
# (nb: normally RC4 would be included in $cryptqry (0x7) if you're trying to identify all non-AES enabled accounts)
# (there's probably a better way than converting to string first, but this enum is for "decoding" as well)
$cryptqry = "0x{0:X}" -f $cryptval.GetHashCode()   # 0x3
$missingqry = "0x{0:X}" -f $missingval.GetHashCode()  # 0x18

# Use a bitwise OR (BOR) query filter to find objects that contain *any* of the values you're interested in
# This will find accounts with DES_CBC_CRC and/or DES_CBC_MD5 enabled that do NOT also have AES128 or AES256
$desOnly = Get-ADObject -Filter "(msDS-supportedEncryptionTypes -bor $cryptqry ) -and (-not msDS-supportedEncryptionTypes -bor $missingqry" `
          -properties "msDS-supportedEncryptionTypes"