Calculate

What is this?

This calculator is intended to help build a high level understanding of how Kerberos encryption type (etype) selection works within Windows environments.

Abbreviations:

• msds-SET: msds-SupportedEncryptionTypes the etypes that are supported by the account.
• Default Domain ETypes: DefaultDomainSupportedEncTypes the assumed supported encryption types for the domain if no msds-SET is defined for the account.
  • IMPORTANT: The DefaultDomainSupportedEncTypes (DDSET) is subject to the KDCs supported encryption types configuration. For example, if the KDC does not support RC4, RC4 will not be used, regardless of the configuration of the DDSET,
• KDC: Key Distribution Center
• Subsession Key: The key that can be negotiated after the initial session is setup between client and server.

Caveats

This calculator operates with a few assumptions.

• You are working with Windows Server 2025 / Windows 11 24H2 or newer.
• The msds-SET is accurately reflecting the etypes that the machines are capable of leveraging.

Additional Reading:

• MS-KILE: Supported Encryption Types Bit Flags
• Network security: Configure encryption types allowed for Kerberos
• Decrypting the Selection of Supported Kerberos Encryption Types