Microsoft
Microsoft
MicrosoftHi kathraji - When you have RC4 and AES 128 enabled on the account, the KDC will default to AES128 when issuing service tickets. If your current keytab file only contains the RC4 credential (NTLM hash), the application will be unable to decrypt and read the service ticket. You can use ktpass /in as explained in this article to determine which key(s) are in a keytab file https://learn.microsoft.com/en-us/archive/blogs/pie/all-you-need-to-know-about-keytab-files#i-found-a-keytab-what-should-i-do. In my experience that is most likely explanation for the app breaking when you enable AES 128 on the service account.
How you can be sure cached tickets will not be used following a change is going to depend on how you application is accessed. If Kerberos delegation is not configured, you should be able to purge the ticket cache of the client machine which will force it to pull a fresh ticket. Keep in mind that the cache for a user session is separate from the system's ticket cache. To purge the system's ticket cache you need to run klist purge –li 0x3e7 from an elevated session. If Kerberos delegation has been configured, you should purge the tickets on the intermediary for good measure.