Kerberos kdc, how to force generation of AES keys on Solaris?

I want to avoid old and weak ciphers on my Solaris kdc, using only AES. I have edited kdc.conf master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal those are lines for krb5.conf default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 Restart kdc and kadmin and.. kadmin -p kws/admin -wmypassword Authenticating as principal kws/admin with password. kadmin: addprinc NFS/debian.myserv.priv@MYSERV.PRIV ktadd -k nfs.keytab -e aes256-cts-hmac-sha1-96 NFS/debian.myserv.priv@MYSERV.PRIV ktadd: Invalid argument while parsing keysalts aes256-cts-hmac-sha1-96 Trying default.. ktadd -k nfs.keytab NFS/debian.myserv.priv@MYSERV.PRIV Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:nfs.keytab. Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:nfs.keytab. Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:nfs.keytab. Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:nfs.keytab. Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:nfs.keytab. Why generate the des keys? Is possible to force AES cipher instead? EDIT: I found a way to create only aes256keys ktadd -e aes256-cts:normal -k nfs.keytab NFS/debian.myserv.priv@MYSERV.PRIV The question still stay to found a way to force/generate only aes256 keys.