2008 Domain Controller is running at 2003 functional level.
Basically ACS sends a ticket request to the KDC and it responds with the encryption versions it supports including AES. Since AES is the strongest encryption we choose that and send an ticket request using AES to the KDC. The KDC then responds saying it does not support AES since 2003 does not support AES encryption.
Raising the domain functional level to 2008 native should resolve the issue but that is not a option right now.
Is there a workaround on the Domain Controller I could use, such as adjusting a Registry value, such as DefaultEncryptionType ?