Encryption Types

In Kerberos Manager, you specify the encryption types you want the KDC and the application server to use when issuing tickets. The server decides which encryption type is actually used, but tries to find the most compatible match between the encryption types the client requests and those available on the server. See your server documentation for supported encryption types.

The encryption type name describes the three parts of the encryption type: the actual encryption; the encryption mode (or method); and the integrity check algorithm. For example, DES-CBC-CRC uses Data Encryption Standard (DES) for encryption, Cipher Block Chaining (CBC) for the encryption mode, and Cyclic Redundancy Code (CRC) for error detection. Kerberos servers may refer to encryption types by their hexadecimal equivalent.

The Kerberos client supports the following encryption types:

Encryption Type

Hexadecimal Equivalent




Kerberos Manager uses DES-CBC-CRC as the default, followed by DES-CBC-MD5. Both types work in most environments.



MD4 (a message digest algorithm) is used for error detection.



MD5 authentication is supported automatically by some KDCs. If your KDC doesn't support MD5 authentication, you may receive error messages when you try to connect after configuring DES-CBC-MD5 as the preferred encryption.

NOTE:Select this encryption type if your KDC uses the Cybersafe implementation of Kerberos.



This encryption type does not perform an integrity check.



DES3-HMAC-SHA1 is equivalent to DES3_CBC_SHA1.