Forum Discussion

xnox_xnox's avatar
xnox_xnox
Copper Contributor
Oct 22, 2023

Add support for sha-2 and sha3 in Supported Kerberos Encryption Types

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

 

https://web.mit.edu/kerberos/krb5-devel/doc/admin/enctypes.html#enctype-compatibility

 

It seems like `aes128-cts-hmac-sha256-128` and `aes256-cts-hmac-sha384-192` are supported by other Kerberos implimentations, but not yet supported by Windows Server.

 

Can those be added to Windows Server?

 

Also can you please think about adding sha-3 based ones too?

Active Directory
Windows Server

3 Replies

  • martinj's avatar
    martinj
    Brass Contributor
    Jun 25, 2024
    aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192 is coming with Windows Server 2025.
    https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025
    • rossmpersonal's avatar
      rossmpersonal
      Copper Contributor
      Nov 18, 2024

      Why is aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192 Kerberos encryption types no longer listed at https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025 ? Did it not make it in to Windows Server 2025?

      • martinj's avatar
        martinj
        Brass Contributor
        Nov 19, 2024

        I'm at MS Ignite now, and I asked the team. 

        They didn't make it in time for GA, but they say, it will come to WS2025, some time in 2025. 

Resources