Avoiding "KDC has no support for encryption type while getting initial credentials" by pinning selected KDC
Osipov, Michael
michael.osipov at siemens.com
Thu Aug 18 06:58:21 EDT 2016
Hi Todd,
> Michael,
>
> This does not fix your issue, its more for clarification of discussion.
>
> The "domain functional level" should be dictating the behavior of the
> aggregate AD environment. You can control the preference for encryption
> type in the krb5.conf's [libdefaults] enctype settings
> (default_tgs_enctypes, permitted_enctypes, default_tkt_enctypes).
The forest functional level is at 2 (Windows Server 2003) while
domain is at 4 (Windows Server 2008 R2).
I'd like to avoid fiddling with the enctypes on all machines because this
is a rare case.
More information about the Kerberos
mailing list