Why don't Active Directory user accounts automatically support Kerberos AES authentication?

active-directory encryption windows-server-2012-r2 kerberos

Solution 1:

Checking the Kerberos AES checkboxes for the users would cause authentication failures on pre-Vista clients. This is probably the reason that it's not set by default.

The Kerberos AES support checkboxes correspond to the value set in an attribute called msDS-SupportedEncryptionTypes

To change this for more than one user, you can utilize PowerShell and the ActiveDirectory module:

# The numerical values for Kerberos AES encryption types to support
$AES128 = 0x8
$AES256 = 0x10

# Fetch all users from an OU with their current support encryption types attribute
$Users = Get-ADUser -Filter * -SearchBase "OU=SecureUsers,OU=Users,DC=domain,DC=tld" -Properties "msDS-SupportedEncryptionTypes"
foreach($User in $Users)
{
    # If none are currently supported, enable AES256
    $encTypes = $User."msDS-SupportedEncryptionType"
    if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
    {
        Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
    }
}

Related

Black Screen After RDP Session
Is there a difference between foreign language windows install and language pack
Allocating Non-Standard Memory Quantities to Virtual Machines [duplicate]
Good practice regarding multiple package management systems
What does MySQL Error 2013 mean?
In Linux, is there a way of seeing which user updated a file?
Amanda, Bacula, BackupPC Which has a reliable windows client?
What HTTP status should I return during temporary site outage/downtime?
How can I prevent rsync replacing symbolic links with new directories in the target directory hierarchy?
Is the Netbios limt of 15 Charactors still a factor when naming computers?
Apache: Limit the Number of Requests/Traffic per IP?
Sudo !! equivalent in PowerShell