kclient adds DES and ArcFour entries unconditionally
Unified Compliance Framework notes that "Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption".
For Windows Server 2008, UCF STIG recommends "the use of DES encryption suites must not be allowed for Kerberos encryption", and for Windows Server 2012 and higher that "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." On the client side, kclient perhaps shouldn't use DES at all and perhaps should only use ArcFour if specifically indicated by the user. An argument for the ArcFour conditional is due to the noted operational impacts:
Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent/child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.
No data to display