Thank you, Jeffrey, for pointing it out. Sorry, I didn't make it clear. It's on the client side, by restricting the requested enctypes in the krb5.conf. In our case, the clients don't support 3DES encryption. default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc