In an environment where Kerberos encryption algorithms are being manipulated by group policy, and where support for RC4_HMAC_MD5 encryption has been disabled, you may find that File Director clients fail to connect.
A network trace between the endpoint and the ticket-granting server (the local domain controller) filtered on Kerberos will show the following error in response to the TGS-REQ request message:
This is caused by a mismatch between proposed and available Kerberos encryption types
File Director currently supports the following kerberos encryption sets:
From a Windows perspective, a user can typically only use AES or DES based encryption if these are specifically enabled from the user account options in Active Directory (only available on >2008R2).
If RC4 has been disabled, please ensure that both the pre-authentication and end user accounts have the 'This account supports Kerberos AES 128 bit encryption' box checked.
Note: Due to kerberos ticket caching, the setting changes may not take effect for some time
To confirm the setting has taken effect you can run a 'klist' command from an un-elevated command prompt in the end user session and look out for an AES128 encrypted service ticket similar to the following: