Hey everyone! I've been facing an issue since our organization migrated to Active Directory (AD). Users are encountering the error message: 'The Encryption Type requested isn't supported by the KDC' whenever they try to reset their Windows passwords. This problem first popped up on the day of migration, and while it seemed to be a one-off situation at first, it has now started affecting every single user in our organization.
From what I gathered, it appears to be related to an encryption type discrepancy, specifically not using AES128 or AES256 encryption during password resets. I've been told by Windows Engineering and other support personnel that the only solution is to reset everyone's password. But I wonder if it's as simple as just updating the account properties for affected users to enable password resets using AES256 encryption and then running a Group Policy Update on all the users? What do you all think? Am I missing something here?
1 Answer
You're on the right track! However, when you change Group Policy to allow for new encryption types, you might still need to reset everyone's passwords after that. Active Directory doesn't automatically update password hashes when you allow users to switch to stronger encryption. So, unfortunately, a password reset is necessary to refresh the encryption type in AD. They should really conduct an audit of the encryption types being used too. Microsoft offers a lot of guidance around these issues.
Got it! So after the reset, users can change their passwords without extending the expiry dates, right?