Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings.
des-cbc-crc
     des-cbc-md4
     des-cbc-md5
     des3-cbc-sha1
     des3-hmac-sha1
     des3-cbc-sha1-kd
     des-hmac-sha1
     aes256-cts-hmac-sha1-96
     aes256-cts
     aes128-cts-hmac-sha1-96
     aes128-cts
     arcfour-hmac
     rc4-hmac
     arcfour-hmac-md5
     arcfour-hmac-exp
     rc4-hmac-exp
     arcfour-hmac-md5-exp
     While aes128-cts and aes256-cts are supported for all Kerberos operations, they are not supported by older versions of our GSSAPI implementation (krb5-1.3.1 and earlier).
By default, AES is enabled in this release. Sites wishing to use AES encryption types on their KDCs need to be careful not to give GSSAPI services AES keys if the servers have not been updated. If older GSSAPI services are given AES keys, then services may fail when clients supporting AES for GSSAPI are used. Sites may wish to use AES for user keys and for the ticket granting ticket key, although doing so requires specifying what encryption types are used as each principal is created.
If all GSSAPI-based services have been updated before or with the KDC, this is not an issue.