ETypes Schmeetypes

03-27-2025

kerbmeme1.png

Figuring out which Kerberos encryption type (etype) will be used is a common source of confusion. However, we can simplify this process by breaking it down into a checklist:

  1. What kind of ticket are you requesting?
  2. Who are the relevant parties?
  3. What is the default supported encryption for the domain?
  4. Are we talking about the ticket encryption type?
  5. Are we talking about session key encryption types?

By answering these questions, you can easily determine the correct etypes with a calculator!

Caveat: This assumes that when you are saying "KDC SET" that it is the SET for ALL KDCs in the domain. Otherwise a renewal may go to a KDC that doesn't support that etype.

  1. Is this a request for a TGT? If yes then the supported encryption types (SET) will be reduced.
  2. Is this a request for a subsession key? If yes then the KDC SET is irrelevant.
  3. All values are in hexidecimal





Ticket EType:
Session Key EType: