I want Kerberos tickets to be encrypted with AES rather than the standard RC4.
Kerberos AES is only supported in Windows Vista or newer and Windows Server 2008 or newer.
To configure the ProxySG to use AES for the Kerberos tickets, you need to support AES kerberos tickets for both the BCAAA and the end users.
The property for supporting Kerberos AES can be found in the user properties for the Active Directory account running BCAAA.
To verify that Kerberos is using AES, take a packet capture and look for aes256-cts-hmac-sha1-96, as displayed in the screenshot below: