adclient.krb5.tkt.encryption.type.strict
The adclient.krb5.tkt.encryption.type.strict parameter controls whether to replace the encryption types set in default_tgs_enctypes and default_tkt_enctypes in krb5.conf with the encryption types specified in adclient.krb5.tkt.encryption.types in centrifydc.conf.
-
When adclient.krb5.tkt.encryption.type.strict is false (default), then:
The encryption types listed adclient.krb5.tkt.encryption.types in centrifydc.conf are added to the list of encryption types in default_tgs_enctypes and default_tkt_enctypes in krb5.conf.
This only ensures that what is specified in centrifydc.conf is present in krb5.conf. It does not remove unknown items.
-
When adclient.krb5.tkt.encryption.type.strict is set to true, then:
The encryption types listed in adclient.krb5.tkt.encryption.types in centrifydc.conf replace the encryption types specified in the settings, default_tgs_enctypes and default_tkt_enctypes, in krb5.conf.
The permitted encryption types in krb5.conf exactly match the permitted encryption types in centrifydc.conf. Extra or unknown encryption types are removed.
Example:
adclient.krb5.tkt.encryption.type.strict: false
-
false — Default is false. No change in behavior. default_tgs_enctypes and default_tkt_enctypes are updated from the centrifydc.conf file.
Items from centrifydc.conf are added, if they were not already listed. Other items that were already in default_tgs_enctypes and default_tkt_enctypes are left alone and not removed.
-
true — Replace the targeted krb5.conf parameters so they match exactly what is specified in centrifydc.conf.
Items from centrifydc.conf are added, if they were not already listed. Other items that were already in default_tgs_enctypes and default_tkt_enctypes, and not in centrifydc.conf, are removed.
To apply changes to this parameter, either restart adclient or ensure the group policy is set as follows: Computer Configuration > Centrify Settings > DirectControl Settings > Kerberos Settings > Control if strictly enforce the encTypes.
