Ensure that encryption type AES 256 is allowed for Kerberos

  1. Go to Administrative Tools and open Group Policy Management.
  2. Edit the Default Domain Policy of the relevant domain.
  3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  4. Edit the setting Network security: Configure encryption types allowed for Kerberos.
  5. Ensure that AES256_HMAC_SHA1 is configured as an allowed encryption type.
  6. Close the Group Policy Editor.
  7. Edit the Default Domain Controller Policy in the Group Policy Management and repeat steps 3 - 6.
  8. To ensure the new setting is active, run the command below in PowerShell on the Domain Controllers and the Windows client (the one used for the integration).
  9. gpupdate /force

Ensure that the Default Domain Policy and the Default Domain Controller Policy allow the same encryption types. Misconfiguration could lead to unexpected authentication issues when users attempt to log in on Windows clients.