What is this?
This calculator is intended to help build a high level understanding of how Kerberos encryption type (etype) selection works within Windows environments.
Abbreviations:
- msds-SET: msds-SupportedEncryptionTypes the etypes that are supported by the account.
- Default Domain ETypes: DefaultDomainSupportedEnc the assumed supported encryption types for the domain if no msds-SET is defined for the account.
- KDC: Key Distribution Center
- Subsession Key: The key that can be negotiated after the initial session is setup between client and server.
- Future ETypes: This configuration is used to enable future etypes by default when they are released.
Caveats
This calculator operates with a few assumptions.
- You are working with Windows Server 2025 / Windows 11 24H2 or newer
- The msds-SET is accurately reflecting what the accounts are capable of