I have a closed system that doesn't need to interoperate with any other kerberos servers. Shuld I just force everything to ENCTYPE_AES256_CTS_HMAC_SHA1_96? Is there a downside to doing this? Chris