I'm trying to get kerberos to work between an internal and a DMZ forest with a one-way trust between them and have narrowed the issue down to encryption type between the client and DC.
After some research the issue is appears to be the option "The other domain supports kerberos AES encryption" under the forest trust settings on the incoming side.
This option is currently disabled and the checkbox is greyed out so I can't select it, after plenty of searching I haven't found another way to enable this option on an existing trust. Is removing and re-creating the trust the only way to correct this?
The internal forest & domain are both Server 2008R2 functionality level, and the DMZ forest & domain are both Server 2016 functionality level.