Currently, if I follow the steps I can't get working Windows 10 or 11 (both 22H2) with FreeIPA v4.10.1. Please, update/add this steps: 1. The algorithm "arcfour-hmac" isn't necessary in this versions (I don't know in others versions). Just skip the "-e" option or specify with "-e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96". 2. Enforce use of TCP when use Kerberos in Windows running the follows commands after the step 5 of "Configure Windows (ksetup)" section. This steps helps when you logged via VPN or when the packet size is > 1500 (MTU limited!). ``` reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v "MaxPacketSize" /t REG_DWORD /d 1 /f ksetup /setrealmflags [REALM_NAME] tcpsupported ``` 3. Ensure the `permitted_enctypes` in `/etc/krb5.conf` configuration on FreeIPA servers (and replicas). Next, delete `/etc/krb5.conf.d/crypto-policies` (I don't test if updating this file from a tool works). This ensure that every ticket sended from FreeIPA kdc always use the `permitted_enctypes` algorithms. ``` [libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 ``` After change, run the followed commands in FreeIPA servers and replicas: ``` systemctl stop sssd.service sss_cache -E systemctl restart krb5kdc.service systemctl start sssd.service ``` 4. The step 8 from "Configure Windows (ksetup)" section isn't necessary. Windows creates the user automatically. 5. If you don't want type <user>@<domain> for every uncached user, run the followed command to hard-coded domain in logon (add after step 5 of "Configure Windows (ksetup)" section?): ``` reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DefaultLogonDomain /t REG_SZ /d "[REALM_NAME]" /f ``` 6. The step 1 of "Configure Windows (ksetup)" section changes from "/setdomain" to "/setrealm". Actually, both works but I don't know if in the future this command changes.