Microsoft
Microsoft
MicrosoftHi MaxC0der88 - The ticket encryption type is not dependent on the settings of the requesting account (user01) or the client computer. The session key on the other hand does have dependencies on them. At a glance everything looks correct on the Kerberos_SAP account (msds-supportedencryptiontypes is 0x1F and password was last changed 7/12/2020 and the 4769 event shows available key are AES-SHA1 and RC4). The first thing I would try is changing the password of Kerbero_SAP one more time. In some cases the KDC wants to have a N-1 AES Key before issuing an AES encrypted ticket and it is possible the account does not have history for the AES keys. Once that change has replicated you can test it from any domain joined devices by executing klist get HTTP/portal.domain which will cause the client to request a service ticket. If that does not help try changing msds-supportedencryptiontypes to 0x1C (decimal 28)on Kerberos_SAP. On paper that should not be necessary but it would be worth testing since 0x1c is a more common value when you want to enable RC4, AES128 and AES1256
JerryDevore Any suggestions?
