If the firewall is in FIPS/CC mode, the
algorithm must be
aes128-cts-hmac-sha1-96
or
aes256-cts-hmac-sha1-96
.
Otherwise, you can also use
des3-cbc-sha1 or arcfour-hmac
.
To use an Advanced Encryption Standard (AES) algorithm, the functional
level of the KDC must be Windows Server 2012 or later and you must
enable AES encryption for the firewall account.