Kerberos tickets, described in How the Kerberos Service Works, are encrypted. Kerberos provides several algorithms, or encryption types, for encrypting tickets. By default, weak types, such as des and arcfour-hmac are disallowed. These types should only be allowed for backward compatibility or interoperability. For instructions about limiting encryption to the strongest encryption types, see How to Require Strong Encryption in Kerberos and the krb5.conf(5) man page.