Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Enhanced Server-Side KCD Cipher Option

This article relates to LoadMaster firmware version 7.2.52.

In LoadMaster firmware version 7.2.52, a new option for server-side Kerberos Constrained Delegation (KCD) authentication improves the security of the LoadMaster's server-side KCD connections to meet evolving security policies.

In previous releases, KCD was configured to use RC4, DES, and DES3 ciphers for server connections; these ciphers could not be modified. With this release, you can now enable the Use AES 256 SHA1 KCD cipher option on the Virtual Services > Manage SSO User Interface (UI) page to specify that the RC4, DES, and DES3 ciphers be disabled for server-side KCD and that the aes256-cts-hmac-sha1-96 cipher be used instead. This is a global option and applies across all server-side SSO configurations.

Application Programming Interface (API) Details

A new parameter has been added to the API - kcdciphersha1.

You can retrieve the current value of the parameter by running the get command:


You can configure the value of the parameter by running the set command:


0 - Disabled

1 - Enabled

For further details on the RESTful API in general, refer to the RESTful API Interface Description document.

For PowerShell help, run the Get-Help command for the relevant commands.