3.4.3.1 msDS-SupportedEncryptionTypes attribute

If the realm is a KILE implementation that uses Active Directory for the account database, the server SHOULD ensure that the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.481) of its account object is set to the value of SupportedEncryptionTypes (section 3.1.1.5).

When an application server is running under the machine account and NRPC is supported on the machine, the server calls NetrLogonGetDomainInfo ([MS-NRPC] section 3.4.5.2.10) with the Level parameter set to 1 and WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes set to zero.<76>If the WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes returned is not equal to SupportedEncryptionTypes (section 3.1.1.5), then LDAP is used to update the setting:

1. Establish an LDAP connection with server information set to NULL ([MS-ADTS] section 7.1).

2. Perform an LDAP modify operation to set the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.481) of the computer account object to the value of SupportedEncryptionTypes (section 3.1.1.5).