I'm looking to eliminate RC4 encryption from our domain. Even though our accounts and devices are set up for both RC4 and AES encryption, they seem to be using RC4 for their Kerberos tickets. I'm unsure why this is happening. Should I configure the Network Security Policy for allowed encryption types for Kerberos? Currently, I haven't set anything. To ensure everything works correctly, should I include both RC4 and AES in that configuration? I thought domain controllers were meant to utilize the strongest available encryption. I also checked for Kerberos errors (Event 14) but didn't find any. Any guidance would be greatly appreciated!
3 Answers
This can definitely be tricky! It sounds like you're checking for RC4 usage, but make sure to clarify whether you're looking at service accounts or user accounts. Service accounts might stick to RC4 because the AES options aren't checked or due to password reset issues. User accounts are typically more adaptable, deriving AES keys based on passwords during login. If there's something preventing AES from being used, it could force everything back to RC4. So, double-check the settings on the accounts!
You might want to check out the configuration for DefaultDomainSupportedEncTypes and ensure that the allowed encryption types are set correctly on your domain controllers and member devices. If you enforce AES on the DCs, it'll apply across the board, restricting any usage to non-compliant encryption types. Also, keep an eye on your DC versions; they can really affect compatibility with AES. If you add both RC4 and AES to your domain policy, it should ideally prioritize AES, right?
Consider resetting the Kerberos KRBTGT password as part of your troubleshooting. You’ll want to change it twice, with a good gap between the changes—usually at least 10 hours or until the next day before the second change. There are plenty of clear guides online that'll walk you through the process. Additionally, here are a couple of useful resources:
- AD Forest Recovery - Reset the krbtgt password
- Detect and Remediate RC4 Usage in Kerberos
- Active Directory Hardening Series - Enforcing AES for Kerberos
Got it! I usually change it every six months, so that might not be the cause. Thanks for the tip!
Yes, that's what I thought. Setting it to allow both should push AES as the preferred option. I'll look into it more!