Kerberos KDC has no support for encryption type while getting credentials
The encryption types supported by an Active Directory domain controller are listed in the msDS-SupportedEncryptionTypes
attribute of the domain controller's computer object. In a default installation, they are typically something like:
RC4_HMAC_MD5
AES128_CTS_HMAC_SHA1_96
AES256_CTS_HMAC_SHA1_96
This is a bitmask which works out to decimal 28, so it'd be something like 00011100
.
So when you ask why the domain controller "always wants only ARC4-HMAC," it is because your client doesn't have any of the other two encryption types in common with the domain controller, so they are eliminated during the negotiation process.
(Note: RC4_HMAC_MD5 is really the worst and weakest of all the possible encryption types here, but it is also sometimes necessary to support legacy scenarios and interoperability with non-Microsoft products.)
I looked up some documentation and found an example of someone else's configuration file and thought this might be useful:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
Notice that, in addition to supporting better encryption types, they are also specifying rc4-hmac
in their configuration, which is different from what you have, arcfour-hmac-md5
. (Also don't forget the permitted_enctypes
line, which I did not see in your post.)
I'm not 100% sure that will solve your issue, as I'm not in a position to test it right now, but hopefully it'll help.