A Kerberos ticket has two portions, a user portion and a server portion, and both are encrypted with possibly different encryption types. The encryption type of the server portion is selected by the KDC as the first encryption type from the SKDC_TKT_ENCTYPES environment variable (processed left to right) that is available in the local realm definition. The encryption type of the user portion for a TGT is selected by the KDC as the first encryption type from the default_tkt_enctypes environment variables (processed left to right) that is available in the users principal definition. The encryption type of the user portion for a service ticket is selected by the KDC as the first encryption type from the default_tgs_enctypes environment variables (processed left to right) that is available in the service principal definition. The KDC does not pick encryption types based on encryption strength but on the order of the entries in the environmental variables (left to right) so it is important that you make these correct as they affect the entire system. If a particular system does not support an encryption type it is not necessary to disable that encryption type for everyone but to remove it from the appropriate principal.

In Network Authentication Service for z/OS, DES encryption is always supported. DES3, AES128, and AES256 encryptions are available for authentication purposes. However, due to US government export regulations, they may not be available for user data encryption. This means that tickets can be obtained for instance by using DES3 encryption but the session keys in service tickets may need to be restricted to DES encryption (the session key is often used for user data encryption).

Thus, the use of DES3 encryption can be controlled on an individual server basis when necessary. For example, if a foreign realm does not support DES3 encryption, the krbtgt/foreign-realm@local-realm principal entry in the KDC registry database contains just a DES key and not a DES3 key.