-
Title
Can you set a different default msDS-SupportedEncryptionTypes attribute value during join? -
Description
Can you set a different default msDS-SupportedEncryptionTypes attribute value during join?
During the domain join the msDS-SupportedEncryptionTypes attribute for the computer object will be set to the following value by default:
524316
This indicates support for:
RC4_HMAC_MD5, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96.
With Disable Resource Group Compression bit
In some circumstances you may wish to change the default. -
Resolution
From Safeguard Authentication Services version 5.1.1 onwards you can use the -m option to set this value during the join:
E.g to set the value to 24 (AES128 + AES256 only)
# /opt/quest/bin/vastool -u <admin user> join -m 24 <domain>
Note:
The 'Disable Resource Group Compression bit' value (524288) is added to any value that you enter after -m.
For example, a value of 24 becomes 524312 (24 + 524288 = 524312)
If the computer object is already joined to the domain, then you can use the following command to change the value:
# /opt/quest/bin/vastool -u host/ setattrs host/ msDS-SupportedEncryptionTypes 24 -
Additional Information
You can check the current value for msDS-SupportedEncryptionTypes with the following command: /opt/quest/bin/vastool -u host/ attrs host/ msDs-SupportedEncryptionTypes