In some environments, typically ones with mixed forests that include Windows Server 2025 along with other versions, when attempting to install the Okta AD agent the following error will be seen in the AD agent install logs:
The encryption type requested is not supported by the KDC.
- Directories
- Active Directory (AD)
- AD agent installation
A change occurred in Windows Server 2025 regarding how encryption is handled. Due to this change, the accounts used during the AD agent install may require the AES 128/256 account options to be enabled. This includes the service account and the account performing the installation itself.
To resolve the KDC error, please enable AES 128/256 for the service account and, if applicable, the account performing the AD agent install. To enable encryption, see Windows Configurations for Kerberos Supported Encryption Type.
If the KDC error is still seen after performing these steps, please run the following PowerShell command to remove Okta from the equation, filling in <directory-account-name> with the actual account name without the angle brackets:
New-Object System.Security.Principal.WindowsIdentity <directory-account-name>If the same KDC error is seen here, the issue is on the Windows/AD side and must be resolved before proceeding with the AD agent install.
If any errors remain in the AD agent install logs after enabling AES 128/256 for the service and installing accounts, and the KDC error is not observed after running the PowerShell command, please open a support case, and Okta Support will be glad to assist further.
