I wanted to give everyone a heads-up about an urgent issue regarding service accounts in our environments. We've discovered that several of our service accounts are still using RC4 Kerberos encryption, and as many of you might know, Microsoft's April update will break these accounts.
Starting April 2026, Microsoft is changing the default encryption type for accounts with a null value in msDS-SupportedEncryptionTypes from RC4 to AES-SHA1, with this change becoming permanent by July. If you don't act, authentication for those accounts will just stop, leading to serious disruptions, especially for legacy apps and NAS devices that haven't been updated in a long time.
To check the encryption types for your service accounts, you can run a simple PowerShell command against the Security log on your domain controllers. Be on the lookout for '0x17' in the ticket encryption type field, as that indicates the use of RC4. For accounts still using RC4, you need to set msDS-SupportedEncryptionTypes to 24 and purge old Kerberos tickets to ensure smooth operation after the update.
Also, Microsoft has provided helpful scripts on GitHub to audit and manage these accounts. Be proactive about this as it could save you from major headaches in the future!
6 Answers
Keep in mind that if any service accounts haven’t had their passwords updated since before your domain functional level was raised to 2008R2, simply modifying msDS-SupportedEncryptionTypes won’t work. You'll need to reset those passwords twice.
You need to be careful; if your account still allows RC4, you’ll be vulnerable after the update. Changing to 24 is the right move to secure those accounts.
Here’s a handy link to the scripts mentioned in the post. As for running them, you typically only need to run them on one domain controller, but there's a parameter to check across all DCs if needed, although it can be slow and prone to crashes.
Great post! I wish I had your advice when encountering similar issues in the past; it was tough to resolve. Cheers for sharing this info!
I’m a bit confused. I see one of my service accounts showing '0x17', and msDS-SupportedEncryptionTypes is set to '16'. Does this mean I'm still at risk? Should I change it to '24'?
I've been working on a site to help explain Kerberos, especially with the RC4 updates coming out. It covers a lot, including valid keys, encryption negotiation, and even some tools to decode ticket information. Check it out for a better understanding!
This is super helpful! I'll definitely use this for my setup.
Awesome resource! Thanks for sharing that; it's so much clearer than the official docs.