If you are using pre-validated Active Directory users, you must enable Kerberos AES 128- and 256-bit encryption for these users. You can do so by editing the user accounts in Active Directory Users and Computers or by setting attributes for the users in ADSI Edit.
- On the domain controller, open Active Directory Users and Computers.
- Navigate to the domain and select Users.
- Select the pre-validated user, right-click, then click Properties.
Click the Account tab, then select the following Account options:
- This account supports Kerberos AES 128 bit encryption.
- This account supports Kerberos AES 256 bit encryption.
Click OK to save the updated account information.
- On the domain controller, open ADSI Edit.
- Navigate to the domain and select CN=Users.
- Select the user, right-click, then click Properties.
- In the Attribute Editor tab, select the msDS-supportedEncryptionTypes attribute and select Edit.
Type 0X18 to set the hex value for the attribute and click OK.
You should see that the value shows:
0x18=(AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96)
- Click OK to save the new setting.