If you are using pre-validated Active Directory users, you must enable Kerberos AES 128- and 256-bit encryption for these users. You can do so by editing the user accounts in Active Directory Users and Computers or by setting attributes for the users in ADSI Edit.
To enable encryption for pre-validated users by using Active Directory Users and Computers
- On the domain controller, open Active Directory Users and Computers.
- Navigate to the domain and select Users.
- Select the pre-validated user, right-click, then click Properties.
-
Click the Account tab, then select the following Account options:
- This account supports Kerberos AES 128 bit encryption.
- This account supports Kerberos AES 256 bit encryption.
-
Click OK to save the updated account information.
To enable encryption for pre-validated users by using ADSI Edit
- On the domain controller, open ADSI Edit.
- Navigate to the domain and select CN=Users.
- Select the user, right-click, then click Properties.
- In the Attribute Editor tab, select the msDS-supportedEncryptionTypes attribute and select Edit.
-
Type 0X18 to set the hex value for the attribute and click OK.
You should see that the value shows:
0x18=(AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96)
- Click OK to save the new setting.
Doc Feedback