Hi,
Lately, I have setup new servers which consists of 2 AD (running 2012) and member servers (running 2016). I have configured domain GPO to push down to the member servers. One of the setting I had configured is Encryption.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos: AES256_HMAC_SHA1 (Only this option is selected).
I spend some time reading up on KDC but I still failed to understand how does it works? I have created one user account in the AD, I have left the account's properties as it is. When I right-clicked and go to properties > Attribute Editor. The Attribute 'msDs-SupportedEncryption Types" has a value of 0x0 (). I am able to login to the member servers with this user account.
I was told that once I limited the encryption type (via GPO) to 'AES256_HMAC_SHA1', the user account need to be configured to use the same encryption else it will not be able to login. However, I have set nothing at all to the user account.
Can anyone enlighten me on this and what does 0x0 ( ) means? Thank you in advance.