[cifs-protocol] How to determine if an account should use AES?

Sebastian Canevari Sebastian.Canevari at microsoft.com
Wed Aug 19 10:41:57 MDT 2009

Hi Andrew,

The msDS-SupportedEncryptionTypes attribute is populated at object creation time by the subjects that support the property. It is also updated whenever there's a change on the object's configuration that require an update of the property. Meaning that when a subject changes the type of encryption it supports, it modifies this attribute to reflect the change.

With regards of the NETLOGON_DOMAIN_INFO, I'll check with Obaid to see if I can be of any help.

Please let me know if this answer fully addresses your question.

Thanks and regards,


Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 18, 2009 1:01 AM
To: Sebastian Canevari
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How to determine if an account should use AES?

On Fri, 2009-08-14 at 11:40 -0700, Sebastian Canevari wrote:
> Hi Andrew,
> I've been investigating this and I'm still discussing with the product group what would be the best way to better detail this process.
> As explained in the document, the KDC will rely on the AD property msDS-SupportedEncryptionTypes. 
> Now, if the property is not populated by the server or service, then the KDC will default to RC4 which is the legacy type.

So, the outstanding question is: what would normally populate that attribute?

> With respect to the NETLOGON_DOMAIN_INFO, Matthieu is working with Obaid on that section and I believe Obaid is sending him his response shortly.

I have to say, I'm not the wiser from Obaid's answer.   Sorry.

Perhaps you could spell it out a bit more clearly?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list