Migrating users from a 2008R2 AD domain to a 2019 AD domain, both domains have CIS hardening applied to them and have limited the encryption types to AES128_HMAC_SHA1, AES256_HMAC_SHA1, and "Future encryption types".
When a migrated user attempts to change the expired password (over RDP) they get the following error "The encryption type requested is not supported by the KDC"
Hi,
Did you try perform the first reset by a administrator?
It's know behavior , because ADMT is unable to identify if the encryption type on target domain domain.
Below a thread talking about the same issue:
Please don't forget to mark helpful reply as answer
Hi
I would also check the msds-supportedencryptiontypes attribute of the migrated user accounts in case it's been set and the value is not compatible with your domain hardening.
Gary.
14 people are following this question.
