Windows Vista and Windows Server 2008 introduced support for the Kerberos AES crypto profiles, in addition to the older crypto profiles (DES/DES3 and RC4) already implemented in earlier Windows versions.
The SMB implementation supports the new AES crypto profiles. The supported AES crypto profiles are:
- AES256: HMAC-SHA1-96 (the default if AES is supported)
- AES128: HMAC-SHA1-96. To force AES-128 encryption:
- Configure the DC only: Set msDS-SupportedEncryptionType 0x8 = (AES128_CTS_HMAC_SHA1_96).
- Run klist purge on the client.
Configuration to Support AES with Existing CIFS Names (created on 12.2 or earlier)
- No configuration is required for existing CIFS names. AES is automatically enabled on upgrade to 12.3 or later.
- However, configuration is required on the DC for existing CIFS names. AES must be added to the supported encryption types list of existing CIFS names computer accounts.
Configuration to Support AES with New CIFS Names (create on 12.3 or later)
- No configuration is required for newly created CIFS names.
Upgrades and downgrades
- For an upgrade (from a 12.2 or earlier to a 12.3 or later) , AES must be added to the supported encryption types of existing CIFS name DC computer accounts.
- For a downgrade (from a 12.3 or later to a 12.2 or earlier), AES must be removed from the supported encryption types of DC computer accounts for CIFS names that were created with 12.3 or later, or had AES explicitly enabled as per the above upgrade consideration. Otherwise, SMB authentication will fall back to NTLM.