This configuration parameter specifies whether adclient scans the computer’s keytab file and removes any non-AES encryption keys for service principal names during startup. The default is false.

Use this configuration parameter to remove the keys for encryption types that are not supported when you enable FIPS mode (see fips.mode.enable). To remove the non-AES keys, enter the following

adclient.krb5.keytab.clean.nonfips.enctypes: true

Note:   If you specify arcfour-hmac-md5 in the adclient.krb5.permitted.encryption.types configuration parameter, the MD4 hash of the computer password is generated and saved in the keytab file.