Score:0

How can I set the 'The other domain supports Kerberos AES Encryption' setting programmatically?

th flag

In the GUI (Active Directory Domains and Trusts MMC Snap-in (domain.msc)), you can set the "The other domain supports Kerberos AES Encryption" setting for a trust relationship:

The other domain supports Kerberos AES Encryption

I am looking for a way to set this setting programmatically. I already reviewed the Install-ADDSDomain PowerShell cmdlet and also the netdom TRUST tool, but both do not seem to include an option to set the Kerberos AES encryption setting.

Can someone tell me, how I can set this setting programmatically?

Score:0
th flag

This can be done with ksetup:

ksetup /setenctypeattr <THE_OTHER_DOMAIN> AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

See also this documentation. Be aware where you execute this command for which domain. You can only use it to set the encryption types for the other domain. So if you are on a DC of child.contoso.com, you can issue:

ksetup /setenctypeattr contoso.com AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

If you are on a DC of contoso.com, you can issue:

ksetup /setenctypeattr child.contoso.com AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

Other combinations are not possible and you may face the following problems:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.