Applies To: Windows Server 2008 R2, Windows Server 2012, Windows 8

Sets the encryption type attribute for the domain. For examples of how this command can be used, see Examples.


ksetup /setenctypeattr <Domain name> {DES-CBC-CRC | DES-CBC-MD5 | RC4-HMAC-MD5 | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96}





Name of the domain to which you want to establish a connection. Use the fully qualified domain name or a simple form of the name, such as corp.contoso.com or contoso.

Encryption type

Must be one of the following supported encryption types:



  • RC4-HMAC-MD5

  • AES128-CTS-HMAC-SHA1-96

  • AES256-CTS-HMAC-SHA1-96


To view the encryption type for the Kerberos ticket-granting ticket (TGT) and the session key, run the klist command and view the output.

You can set or add multiple encryption types by separating the encryption types in the command with a space. However, you can only do so for one domain at a time.

If the command succeeds or fails, a status message is displayed.

To set the domain that you want to connect to and use, run the ksetup /domain <DomainName> command.


Determine the current encryption types that are set on this computer:


Set the domain to corp.contoso.com:

ksetup /domain corp.contoso.com

Set the encryption type attribute to AES-256-CTS-HMAC-SHA1-96 for the domain corp.contoso.com:

ksetup /setenctypeattr corp.contoso.com AES-256-CTS-HMAC-SHA1-96

Verify that the encryption type attribute was set as intended for the domain:

ksetup /getenctypeattr corp.contoso.com

Additional references