I have a few items that might help somewhat.
while working on a cipher project i noted that a number of items kept coming back as older types then the current more secure version lets say AES256, i had collected the hits via network scans. this could be seen by testing a SPN that was bound to a AD object such as user or computer object. but ultimatly all roads take you back to the AD item.
testing a hit for example CIFS/TEST a demo spn added to a test computer object using the powershell code
klist purge
Add-type -AssemblyName System.IdentityModel
$SessionKey = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList CIFS/test -ErrorAction SilentlyContinue
klist
Client: administrator @ DOMAIN1.INT
Server: CIFS/test @ DOMAIN1.INT
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 3/17/2022 23:52:52 (local)
End Time: 3/18/2022 9:52:52 (local)
Renew Time: 3/24/2022 23:52:52 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
looking in the test AD for the test computer object and then adding Advanced views to DSA.MSC thier is a direct link to the value set msDS-SupportedEncryptionTypes as both the above replies added. 100% bang on. now its possable to for the use of stronger levels of Ciphers via this atribute in AD of the object.
see https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797
i have done some testing and to be fair the strongist value is always chosen when you select a value thats got say RC4 and AES, even when you use AES 128 and 256 the servers will use the strongist possable.
eg when i set the value on the AD Computer Object "not a user account" to 23 - DES_CBC_CRC, DES_CBC_MD5, RC4, AES 256
#1> Client: administrator @ DOMAIN1.INT
Server: CIFS/test @ DOMAIN1.INT
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 3/18/2022 0:00:33 (local)
End Time: 3/18/2022 10:00:33 (local)
Renew Time: 3/25/2022 0:00:33 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
note this was only limited test so dont run off and start cranking it into the real world :) just wanted to share a few things with you all.