If both AES-128 and AES-256 ciphers are enabled for Kerberos authentication, the actual cipher used for authentication will depend on the negotiation between the client and the server during the Kerberos authentication process. Kerberos supports multiple encryption types, and the most secure encryption type that both the client and the server support will be selected for authentication.

Here’s how the authentication process works when both AES-128 and AES-256 are enabled:

1. Client Authentication Request:
   • The client sends an authentication request to the Authentication Server (AS), indicating the target service and providing its credentials (username and password).
2. TGT Request and Response:
   • The Authentication Server verifies the client’s credentials and responds with a Ticket Granting Ticket (TGT).
   • The TGT contains an encrypted portion that includes the session key and other information necessary for authentication.
3. Service Ticket Request:
   • When the client wants to access a specific service (e.g., SMB server), it requests a Service Ticket (TGS) from the Ticket Granting Server (TGS).
   • The client presents the TGT to the TGS as proof of authentication.
4. Mutual Authentication:
   • The TGS verifies the TGT and issues a Service Ticket for the requested service encrypted with a session key shared between the client and the TGS.
   • The client presents the Service Ticket to the service (e.g., SMB server) as proof of authentication.
   • The service verifies the Service Ticket using its shared session key with the TGS.
5. Establishing Secure Communication:
   • Upon successful mutual authentication, the client and the service can establish a secure communication channel using the session key shared between them.
   • All data exchanged during the session is encrypted using the negotiated encryption type (either AES-128 or AES-256).

During the Kerberos authentication process, the client and the server communicate their supported encryption types to each other. The Kerberos protocol ensures that the encryption type chosen for authentication is the most secure one that both the client and the server support. If both the client and the server support both AES-128 and AES-256, they will negotiate and select the stronger encryption type (AES-256) for authentication, as it provides a higher level of security due to the longer key size.

In summary, when both AES-128 and AES-256 ciphers are enabled, Kerberos authentication will use AES-256 for encryption if both the client and the server support it. This ensures the use of the stronger encryption type for authentication, enhancing the security of the authentication process.