Figuring out which Kerberos encryption type (etype) will be used is a common source of confusion. However, we can simplify this process by breaking it down into a checklist:
What kind of ticket are you requesting?
Ticket Granting Ticket (TGT)
FYI: No more getting TGTs with RC4 session keys
Service Ticket (ST)
Subsession Key (SSK)
Who are the relevant parties?
For a TGT: Client & Key Distribution Center (KDC)
For an ST: Client, KDC & Service
For an SSK: Client & Service
What is the default supported encryption for the domain?
If you're using Windows Server 2025 or newer: 0x24 (RC4 | AES_SK)
If you're using Windows Server 2022 or older: 0x27 (DES | RC4 | AES_SK)
Are we talking about the ticket encryption type?
If yes, then we only need to have the strongest etype that the target supports (that the KDC also supports)
Are we talking about session key encryption types?
If yes, then we need the strongest etype that the source and target and KDC support
By answering these questions, you can easily determine the correct etypes with a calculator!
Caveat: This assumes that when you are saying "KDC SET" that it is the SET for ALL KDCs in the domain. Otherwise a renewal may go to a KDC that doesn't support that etype.
Is this a request for a TGT? If yes then the supported encryption types (SET) will be reduced.
Is this a request for a subsession key? If yes then the KDC SET is irrelevant.
