Enabling required encryption types for pre-validated users
If you are using pre-validated Active Directory users, you must enable Kerberos AES 128- and 256-bit encryption for these users. You can do so by editing the user accounts in Active Directory Users and Computers or by setting attributes for the users in ADSI Edit.

- On the domain controller, open Active Directory Users and Computers.
- Navigate to the domain and select Users.
- Select the pre-validated user, right-click, then click Properties.
-
Click the Account tab, then select the following Account options:
- This account supports Kerberos AES 128 bit encryption.
- This account supports Kerberos AES 256 bit encryption.
-
Click OK to save the updated account information.

- On the domain controller, open ADSI Edit.
- Navigate to the domain and select CN=Users.
- Select the user, right-click, then click Properties.
- In the Attribute Editor tab, select the msDS-supportedEncryptionTypes attribute and select Edit.
-
Type 0X18 to set the hex value for the attribute and click OK.
You should see that the value shows:
0x18=(AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96)
- Click OK to save the new setting.