Configuring the krb5 file for encryption in Kerberos/SPNEGO SSO in ELM

If you run either the IBM JRE kinit utility or the UNIX kinit utility to obtain a Kerberos ticket, you must edit the client krb5.conf or krb5.ini configuration file to specify the encryption algorithms that Microsoft Active Directory requires.


  1. Locate the krb5.conf or krb5.ini file. For more information, see ELM client configuration for Kerberos/SPNEGO SSO.
  2. Open the file and go to the [libdefaults] section.
    • To include support for Advanced Encryption Standard 128-bit (AES-128) and Rivest Cipher 4 (RC4) encryption, add the following lines:
      default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
      default_tgs_enctypes = aes128-cts-hmac-sha1-96  rc4-hmac
      permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
      Note: For optimal security, it is best to avoid use of Data Encryption Standard (DES) encryption, which is considered unsecure.
    • To include support for Advanced Encryption Standard 256-bit (AES-256) encryption in addition to AES-128 and RC4 encryption, add the following lines instead:
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
      permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
      Important: If you enable AES-256 encryption, you must update the IBM Java Cryptography Encryption (JCE) unrestricted policy files. For more information, see AES 256-bit encryption and the IBM JRE in configuring Kerberos/SPNEGO.
  3. Optional: To verify the encryption types that are used for the Kerberos session key and ticket for each credential in the ticket cache file, or for each key in the keytab file, run the IBM JRE klist -e command. Alternatively, on UNIX systems, you can run the UNIX klist -e command.