Kerberos using AES still not working where it should
Establish a two-way forest trust.
Try to establish Remote Desktop Connection from a computer in one forest to a computer in another forest, with an account that is a member of “Protected Users” security group. The connection will fail if the computer (from where you’re trying to establish RDP connection) does not have “RC4HMACMD5” kerberos encryption type enabled (i.e. it only has “AES256HMACSHA1” enabled).
On the other hand, if the user that is trying to establish Remote Desktop Connection is using an account that is NOT a member of “Protected Users” security group, and only AES kerberos encryption types are enabled on the computer from where the connection is initiated (i.e. “RC4HMACMD5” is not enabled), the connection would be established because after kerberos authentication would fail, the account would be authenticated using NTLM, which is even worse.
Please fix this!
We must be able to authenticate and connect to another forest (of course, it the trust exist) with Kerberos using AES. Using RC4 is not acceptable, and NTLM is even worse.
Tomislav Fučkar commented
Kerberos is not enabled by default when creating forest trust. After manually enabling it, AES works as expected.