I'm looking into an issue with Kerberos Event ID 4769 where the service ticket is still being encrypted with RC4 (0x17), even though AES is enabled and should be available. Here are some details:
- The service account (SQLCLS$) is requesting a ticket.
- The client advertises AES128 and AES256.
- The Domain Controller supports AES.
- Yet, the ticket issued is still using RC4.
Could this happen due to old passwords or legacy keys? Or could it be because of missing msDS-SupportedEncryptionTypes on the user? What's the best way to fix this?
2 Answers
Have you checked if the DefaultDomainSupportedEncTypes is set? If it's not configured on your DCs, that could definitely lead to issues. You mentioned using Group Policy for setting Kerberos encryption types, just make sure all the required types are allowed and that the service account has the proper SPNs registered.
It sounds like you might not have updated the passwords when switching ciphers or you could be missing the Service Principal Name (SPN) for SQL. It's pretty common to run into these issues if the service account isn't properly configured for the newer encryption methods.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures