DeviceKerberosEncryptionTypes

Setting the policy designates which encryption types are allowed when requesting Kerberos tickets from a Microsoft® Active Directory® server. Setting the policy to: * All allows the AES encryption types aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96, as well as the RC4 encryption type rc4-hmac. AES takes precedence if the server supports AES and RC4 encryption types. * Strong or leaving it unset allows only the AES types. * Legacy allows only the RC4 type. RC4 is insecure. It should only be needed in very specific circumstances. If possible, reconfigure the server to support AES encryption. Also see https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.