Kerberos KDC has no support for encryption type while getting credentials

The encryption types supported by an Active Directory domain controller are listed in the msDS-SupportedEncryptionTypes attribute of the domain controller's computer object. In a default installation, they are typically something like:

RC4_HMAC_MD5
AES128_CTS_HMAC_SHA1_96
AES256_CTS_HMAC_SHA1_96

This is a bitmask which works out to decimal 28, so it'd be something like 00011100.

So when you ask why the domain controller "always wants only ARC4-HMAC," it is because your client doesn't have any of the other two encryption types in common with the domain controller, so they are eliminated during the negotiation process.

(Note: RC4_HMAC_MD5 is really the worst and weakest of all the possible encryption types here, but it is also sometimes necessary to support legacy scenarios and interoperability with non-Microsoft products.)

I looked up some documentation and found an example of someone else's configuration file and thought this might be useful:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

; for Windows 2008 with AES
   default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Notice that, in addition to supporting better encryption types, they are also specifying rc4-hmac in their configuration, which is different from what you have, arcfour-hmac-md5. (Also don't forget the permitted_enctypes line, which I did not see in your post.)

I'm not 100% sure that will solve your issue, as I'm not in a position to test it right now, but hopefully it'll help.