Avoiding "KDC has no support for encryption type while getting initial credentials" by pinning selected KDC

Osipov, Michael michael.osipov at siemens.com
Thu Aug 18 06:58:21 EDT 2016


Hi Todd,

> Michael,
> 
> This does not fix your issue, its more for clarification of discussion.
> 
> The "domain functional level" should be dictating the behavior of the
> aggregate AD environment. You can control the preference for encryption
> type in the krb5.conf's [libdefaults] enctype settings
> (default_tgs_enctypes,  permitted_enctypes, default_tkt_enctypes).

The forest functional level is at 2 (Windows Server 2003) while
domain is at 4 (Windows Server 2008 R2).

I'd like to avoid fiddling with the enctypes on all machines because this
is a rare case.





More information about the Kerberos mailing list