This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_STRONG_KEYS nor NETLOGON_NEG_SUPPORTS_AES.
This option was added with Samba 4.2.0. It may lock out clients which worked fine with Samba versions up to 4.1.x. as the effective default was "yes" there, while it is "no" now.
If you have clients without RequireStrongKey = 1 in the registry, you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.
This option yields precedence to the 'reject md5 clients' option.
|Registry Path||Software\Policies\Samba\smb_conf\allow nt4 crypto|
|Value Name||allow nt4 crypto|