Exchange 2016 and Sever 2016 DCs: Unknown KDC Encryption type

I think you may first check the SPN, you could run “SetSPN -L <ExchangeServerName>” command to check the SPN configuration. It should contain:

SMTP/<ExchangeServerName>

SMTP/<ExchangeServerName>.example.com

SMTPSVC/<ExchangeServerName>

SMTPSVC/<ExchangeServerName>.example.com

If some missed, you could run "setspn -a <data>" to add.

And then, on the client side, run “klist tickets” in CMD to check the ticket type. Usually it should be “AES-256-CTS-xxx”.

Here is a related blog about ticket types: https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/

In addition, according my research, beginning with Windows Server 2016, KDCs can support the PKInit freshness extension. Maybe you could also check this point.