Quite a short post here, but if you happen to find the msDS-SupportedEncryptionTypes value is set to 50000 (or 327680 decimal) on the krbtgt account, no your admins have not gone rogue – this happens if you enable FAST / claims for the KDC in a domain. It probably doesn’t really mean anything important, but just putting it out there, because I couldn’t find anything out there that says it and I tested the behavior on multiple test environments.
If the GPO Element “KDC support for claims, compound authentication and Kerberos armoring” is set to any of the following:
- supported
- Always provide claims
- fail unarmored authentication requests
the krbtgt account’s supported encryption types will get set to 0x50000.
