Usually, the wizard can determine this for you by looking it up in DNS on the server.
If that fails, the wizard will instruct you on how to determine this manually on the client-side.
If your service is already mapped to an account, then the strongest configured encryption type for that account is recommended.
Then, in the account options, we need to enable "This account supports Kerberos AES 256 bit encryption":
Shows you how to create a keytab file using ktpass. Again, this is a task you might have to delegate to your AD team.
A quick review of the syntax:
Command / parameter
ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32
HTTP is always used for web servers, also when using https.
issues.example.com is the canonical DNS name of JIRA
EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain
Maps the /princ name above to the account svc-jirasso-issues.
ktpass will add this attribute on the account:
Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type.
The general ptype, recommended by Microsoft.
Output location of the generated keytab file
Running the ktpass command will output a keytab file and register issues.examples.com as an HTTP Kerberos service.