Export (0) Print
Expand All


Published: May 25, 2011

Updated: April 17, 2012

Applies To: Windows Server 2008 R2

Adds the encryption type attribute to the list of possible types for the domain. For examples of how this command can be used, see Examples.

ksetup /addenctypeattr <DomainName> {DES-CBC-CRC | DES-CBC-MD5 | RC4-HMAC-MD5 | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96}


Parameter Description


Name of the domain to which you want to establish a connection. Use the fully qualified domain name or a simple form of the name, such as or contoso.

Encryption type

Must be one of the following supported encryption types:



  • RC4-HMAC-MD5

  • AES128-CTS-HMAC-SHA1-96

  • AES256-CTS-HMAC-SHA1-96

To view the encryption type for the Kerberos ticket-granting ticket (TGT) and the session key, run the klist command and view the output.

You can set or add multiple encryption types by separating the encryption types in the command with a space. However, you can only do so for one domain at a time.

If the command succeeds or fails, a status message is displayed.

To set the domain that you want to connect to and use, run the ksetup /domain <DomainName> command.

Determine the current encryption types that are set on this computer:


Set the domain to

ksetup /domain

Add the encryption type AES-256-CTS-HMAC-SHA1-96 to the list of possible types for the domain

ksetup /addenctypeattr AES-256-CTS-HMAC-SHA1-96

Set the encryption type attribute to AES-256-CTS-HMAC-SHA1-96 for the domain

ksetup /setenctypeattr AES-256-CTS-HMAC-SHA1-96

Verify that the encryption type attribute was set as intended for the domain:

ksetup /getenctypeattr

Community Additions

© 2016 Microsoft