I am having problems restricting kerberized NFS to use only AES encryption. We had kerberized NFS running until the other encryptions were blocked at the KDC.

Context:

FAS2720 Filer

Ontap 9.8P18

KDC is Microsoft AD (I only have permissions im my OU)

I used Microsoft ktpass to create a keytab for my nfs SPN account and used that as -keytab-uri parameter for kerberos interface enable (using admin-username and admin-password failed).

Now I cannot mount volumes that are restricted to kerberos and when I try the event log tells me [ 0] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Key table entry not found).

Packet capture shows a NFS V3 NULL call using an apparently correct kerberos ticket, with a reply that has a GSS major/minor status  851968/2529639093, that is consistent with that error. (Client principal is the client host in that exchange).

However I cannot understand why the key table entry cannot be found.

I have checked that 

the nfs SPN matches in the keytab, the keyblock shown by the ontap CLI, the AD machine entry and the captured packets (also checked the letter case)

the kvno also matches here

the encryption type (18) and the key match in the keytab and the keyblock, and the key can decrypt the encrypted parts of the packets in wireshark

I also checked that aes-256 and aes-128 are permitted-enc-types in vserver nfs show,

and that these encryption types are enabled in the AD for both the NFS Server account and the client host account

that users can obtain service tickets for the nfs server using kvno

Any Ideas?