Kodiak,
I'm actually in the midst of this now. Our company is running a 'deprecated protocols' project, where they're trying to eliminate rc4 encryption, SNMPv1, v2c and a few other weak protocols I won't mention here.
For AD, that eventually means change the LDAP attribute msDS-SupportedEncryptionTypes of the computer accounts to a value of 24 (i.e., AES256 and AES120 only). See:
Also, you have to ensure that any AD cross-domain trusts are not using rc4. (That bit us).
For Linux servers, that means modifying the /etc/ssh/sshd_config file, the /etc/krb5.conf and maybe the /etc/krb5.conf.d/* files.
In RHEL8/9, the sshd ciphers are managed by the system-wide crypto-policies. See man page for 'update-crypto-polciies'. The details of how the ciphers are managed between RHEL8 and 9 differ in the back-end, but you probably don't care about that level of detail.
In RHEL 6/7, you edit the /etc/ssh/sshd_config file and edit the 'Ciphers' line.
For sssd and kerberos, again in RHEL8/9 it is managed by the system-wide crypto policies. Which sets up an /etc/krb5.conf.d/crypto-policies file (a symlink). It has 'permitted_enctypes'.
For RHEL 6/7, as you state -- you set permitted_enctypes in /etc/krb5.conf or /etc/krb5.conf.d/*. These encryptions are tried in the order listed, so you put your strongest encryptions first (AES256).
If you have an existing /etc/krb5.conf file with default_tkt_enctypes or default_tgs_enctypes, those settings are used preferentially over permitted_enctypes.
I'm not aware that sssd.conf file specifies encryption types directly. At least in our company's sssd.conf files, it does not.
Spike White