Export (0) Print
Expand All


Published: May 25, 2011

Updated: April 17, 2012

Applies To: Windows Server 2008 R2

Sets the encryption type attribute for the domain. For examples of how this command can be used, see Examples.

ksetup /setenctypeattr <Domain name> {DES-CBC-CRC | DES-CBC-MD5 | RC4-HMAC-MD5 | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96}


Parameter Description


Name of the domain to which you want to establish a connection. Use the fully qualified domain name or a simple form of the name, such as corp.contoso.com or contoso.

Encryption type

Must be one of the following supported encryption types:



  • RC4-HMAC-MD5

  • AES128-CTS-HMAC-SHA1-96

  • AES256-CTS-HMAC-SHA1-96

To view the encryption type for the Kerberos ticket-granting ticket (TGT) and the session key, run the klist command and view the output.

You can set or add multiple encryption types by separating the encryption types in the command with a space. However, you can only do so for one domain at a time.

If the command succeeds or fails, a status message is displayed.

To set the domain that you want to connect to and use, run the ksetup /domain <DomainName> command.

Determine the current encryption types that are set on this computer:


Set the domain to corp.contoso.com:

ksetup /domain corp.contoso.com

Set the encryption type attribute to AES-256-CTS-HMAC-SHA1-96 for the domain corp.contoso.com:

ksetup /setenctypeattr corp.contoso.com AES-256-CTS-HMAC-SHA1-96

Verify that the encryption type attribute was set as intended for the domain:

ksetup /getenctypeattr corp.contoso.com

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft