Allowed Kerberos encryption types
Sets encryption types that are allowed when requesting Kerberos tickets from an Microsoft® Active Directory® server.
If the policy is set to 'All', both the AES encryption types 'aes256-cts-hmac-sha1-96' and 'aes128-cts-hmac-sha1-96' as well as the RC4 encryption type 'rc4-hmac' are allowed. AES encryption takes preference if the server supports both types. Note that RC4 is insecure and the server should be reconfigured if possible to support AES encryption.
If the policy is set to 'Strong' or if it is unset, only the AES encryption types are allowed.
If the policy is set to 'Legacy', only the RC4 encryption type is allowed. This option is insecure and should only be needed in very specific circumstances.
See also https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.
Supported on: At least Microsoft Windows 7 or Windows Server 2008 family
chromeos.admx