...
Prerequisites / Tasks |
|
|---|---|
AES must be enabled on the user account that holds the SPN. |  |
Domain functional level must be 2008 or higher. | Domain functional level prior to before 2008 does not support AES encryption. To find the domain functional level, right-click on the root of the domain, and choose properties.  |
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files must be in place | Replace local_policy.jar and US_export_policy.jar in $JAVA/HOME/jre/lib/security/ The service must be restarted in order to apply the new policies. |
...
| Info |
|---|
Purge tickets Recreating keytabs with new versions or different encryption types will make kerberos Kerberos fail for clients that already has have a ticket. Logging out or running "klist purge" on the command line will make clients acquire a new ticket with AES-256 |
...
The first command in the picture below issues a keytab for issues.example.com. This keytab has "vno 3," meaning key version number (kvno) 3.
...