RC4 Deprecation in Windows Kerberos: Plan AES Migration for AD

Microsoft has quietly but deliberately set a firm deadline to end a decades‑long compatibility compromise: RC4 (RC4‑HMAC) will no longer be the assumed, permissive fallback for Kerberos ticket encryption on Windows domain controllers, and Microsoft has delivered a staged rollout tied to CVE‑2026‑20833 that forces organizations to inventory, remediate, and move to AES‑based Kerberos encryption.

Background / Overview​

For nearly twenty years Windows Active Directory environments permitted multiple Kerberos encryption types (enctypes) to maximize compatibility with legacy clients and third‑party appliances. That compatibility choice included RC4‑HMAC as a common fallback, which cryptographers and incident responders have long considered weak or obsolete for authentication tokens. The practical result: attackers could harvest service tickets and run offline cracking attacks (commonly called Kerberoasting) against RC4‑encrypted tickets far more cheaply than against AES‑protected ones, making service accounts attractive targets.
In response to an information‑disclosure vulnerability tracked as CVE‑2026‑20833, Microsoft published a staged mitigation plan that both increases Kerberos telemetry and flips the default domain controller KDC behavior away from RC4 toward AES‑SHA1 enctypes. The plan began with Windows updates released on January 13, 2026, and continues through April and July 2026 with progressively stricter defaults and final enforcement.

---

What CVE‑2026‑20833 actually is​

The vulnerability in plain language​

CVE‑2026‑20833 is described as a Use of a Broken or Risky Cryptographic Algorithm in Windows Kerberos, where continued allowance of legacy ciphers (especially RC4) can enable an authenticated attacker to obtain service tickets encrypted with weaker algorithms and perform offline attacks to recover service account credentials. These service accounts often have elevated privileges and can be used for lateral movement or privilege escalation. The CVE entry was published on January 13, 2026.

What the CVE does — and does not — prove​

• The core technical problem is weak cryptography combined with easy offline cracking: RC4’s historical key derivation in Windows (NTLM/RC4‑derived keys) lacks salt and iteration, making brute‑force far cheaper than for AES‑based Kerberos enctypes.
• Public advisories tie the change directly to Kerberoasting risk; however, public proof‑of‑concept exploit code has not been widely published at the time of Microsoft’s advisory, and authoritative trackers note limited evidence of broad active exploitation. That caveat doesn’t reduce the operational urgency — it simply changes the threat calculus.

---

The rollout timeline and what each phase means​

Microsoft chose a three‑phase, calendarized approach so administrators have runway to discover and remediate RC4 dependencies.

January 13, 2026 — Initial deployment (Audit / Diagnostic phase)​

• Windows updates released on or after this date introduce new Kerberos audit events and the temporary registry control RC4DefaultDisablementPhase.
• The initial update is diagnostic: it logs KDCSVC/Kerberos events that identify RC4 usage and insecure DefaultDomainSupportedEncTypes (DDSET) configurations so admins can find problem accounts and devices without breaking authentication.

April 2026 — Second deployment (Default change to AES‑SHA1)​

• Starting in April 2026, Microsoft changes the default for domain controllers so that DefaultDomainSupportedEncTypes (DDSET) uses AES‑SHA1 only (bitmask 0x18) for accounts that do not have an explicit msds‑SupportedEncryptionTypes attribute.
• The practical effect is that domain controllers will no longer automatically fall back to RC4 for accounts that lack explicit settings; environments that still depend on RC4 may begin to see authentication failures unless those accounts are fixed or explicitly configured to allow RC4.

July 2026 — Final enforcement (Audit removed)​

• In July 2026 Microsoft will remove the Audit mode and the RC4DefaultDisablementPhase registry key is retired. Enforcement mode becomes the only operational state: RC4 fallback will be fully eliminated from the KDC path except where an administrator has explicitly set per‑account exceptions. At that point, non‑compliant RC4 connections will be blocked.

---

Why this matters now: operational and security impacts​

The change is more than a cryptography footnote — it’s an operational deadline with real outage risk.

• Credential exposure risk: RC4 simplifies offline cracking of service tickets. Service accounts (which often run services or DB connections) have elevated privileges; stolen credentials can lead to domain compromise.
• Authentication failures: Any device, application, or vendor appliance that only advertises RC4 or whose service account lacks AES keys can fail authentication when domain controllers stop issuing RC4 tickets by default.
• Third‑party dependencies: Embedded systems, network appliances, and older Windows builds in isolated segments are common RC4 holdouts. These devices may not receive updates quickly and can fail unexpectedly during the April/July transitions.
• Regulatory and legal attention: Public incidents tied to Kerberos abuse have already drawn congressional scrutiny and vendor pressure; the default flip accelerates industry expectations for good identity hygiene.

---

What Microsoft explicitly recommends (and the commands you should plan)​

Microsoft’s published guidance lays out a short list of recommended actions that should be treated as immediately operational tasks for any environment with Active Directory domain controllers.

• 1) Patch all domain controllers with the Windows updates released on or after January 13, 2026. This provides the logging and controls needed to detect RC4 usage.
• 2) Monitor Kerberos and System event logs for the new set of KDCSVC and Kerberos audit events (Microsoft lists nine KDCSVC events across warning/audit types) to find accounts and clients that still depend on RC4. Forward these logs to your SIEM.
• 3) Address KDCSVC events and account key gaps such as accounts missing AES key material (Available Keys) or clients that only advertise RC4. Typical remediation includes resetting service account passwords to generate AES keys and updating client/vendor software.
• 4) Only enable Enforcement mode when logs are clean. Enforcement mode (RC4DefaultDisablementPhase = 2 or when Microsoft flips the default) stops RC4 fallback; enable it after you’ve confirmed no high‑risk authentication failures will result.

---

Detecting RC4 usage: the practical signals​

Microsoft improved Kerberos visibility by adding processed fields to relevant Event IDs and publishing helper scripts. Make these the first items in your discovery plan.

• Look for extended fields in Security Event IDs such as 4768 (TGT request) and 4769 (service ticket issued) that now include:
• msDS‑SupportedEncryptionTypes (what the account advertises)
• Available Keys / Account Keys (what key material is present)
• Ticket Encryption Type and Session Encryption Type (which etype was used)
• Watch the System log for KDCSVC events (Event IDs in the 200 range — auditing and warnings) introduced with the January update.
• Use Microsoft’s PowerShell helpers (for example, List‑AccountKeys.ps1 and Get‑KerbEncryptionUsage.ps1) to inventory accounts lacking AES keys or ticket issuance patterns that show RC4. Centralize results in your SIEM for cross‑DC correlation.

---

A prioritized remediation checklist for sysadmins​

Follow a risk‑based, iterative approach. Don’t try to flip enforcement until you complete a full discovery and targeted remediation cycle.

• Inventory and baseline
• Centralize logs (Event IDs 4768 / 4769 + KDCSVC) from all domain controllers into your SIEM.
• Run Microsoft’s helper scripts to list accounts lacking AES keys and summarize recent RC4 ticket usages.
• Triage by exposure
• High priority: accounts with SPNs running critical services and accounts with wide privileges.
• Medium priority: production third‑party appliances and legacy servers.
• Low priority: lab devices and equipment scheduled for retirement.
• Remediate accounts and clients
• For accounts missing AES keys: perform controlled password resets (sometimes two resets are required to fully populate AES key material across domain controllers).
• For clients advertising only RC4: update OS, vendor firmware, or replace the appliance. If vendor support is unavailable, document and isolate the device as necessary.
• Test enforcement in a controlled group
• Use RC4DefaultDisablementPhase = 2 on a subset of non‑production domain controllers to simulate April behavior and validate remediation steps.
• Enable enforcement broadly
• Move to Enforcement mode only after logs show a clean state and after stakeholders sign off on mitigations.
• Document exceptions and compensating controls
• If you must keep RC4 for legacy compatibility, explicitly set msDS‑SupportedEncryptionTypes for the specific account and control access to that account tightly; log, rotate credentials frequently, and apply strict network segmentation.

---

Practical examples: common pitfalls and fixes​

• Device: a network scanner appliance that only supports RC4
• Pitfall: authentication fails after April default flip.
• Fix: engage vendor support for firmware/patch; if impossible, create a constrained service account, set msDS‑SupportedEncryptionTypes to include RC4 only for that account, rotate its password frequently, and isolate the appliance on a segregated VLAN.
• Application: custom line‑of‑business app using legacy Windows APIs
• Pitfall: the app advertises RC4-only enctypes or uses stale credential stores.
• Fix: update app or rebuild authentication stack to use modern Kerberos libraries; as an interim, rotate the service account password and limit its privileges.
• Forest with mixed OS versions
• Pitfall: older domain controllers or member servers might not understand the new telemetry or could misreport keys.
• Fix: ensure all domain controllers are patched, and verify domain functional level compatibility before flipping enforcement.

---

Risks and trade-offs — frank analysis​

Microsoft’s decision to flip a long‑standing default is justified by strong cryptographic and operational arguments, but it carries real trade‑offs that IT teams must manage.
Strengths and benefits

• Reduces the attack surface for Kerberoasting and similar offline attacks by making AES the baseline.
• Raises the bar for attackers by increasing the computational cost of brute‑forcing service tickets.
• Delivers better telemetry that makes inventory and remediation practical at enterprise scale.

Potential risks and operational downsides

• Authentication outages are the most immediate risk — poorly inventoried RC4 dependencies will break in April or July 2026.
• Vendor/device compatibility: long‑lived appliances and embedded systems often lack timely updates and can require costly replacement.
• Human and process risk: rushed password resets, poorly documented exceptions, or ad‑hoc re‑enabling of RC4 can leave long‑term security debt.

Cautionary points

• Microsoft’s advisory and CVE do not mean every environment is actively being exploited today — but the population‑level reduction in exposure is what makes this move defensible. Public trackers list limited exploit evidence but still rate the vulnerability as operationally relevant. Always cross‑check your organization’s telemetry rather than assuming safety.

---

If you must keep RC4: safe‑guarding exceptions​

Microsoft allows explicit per‑account exceptions by setting the msDS‑SupportedEncryptionTypes attribute to include RC4, but this should be a last‑resort, highly controlled option.

• Only use per‑account RC4 allowances when you have no vendor or upgrade path.
• Apply compensating controls:
• Isolate the account and service using network segmentation and strict firewall rules.
• Use short, complex passwords and automate rotation.
• Monitor the account’s usage continuously and alert on anomalies.
• Document the exception and schedule a migration plan with firm deadlines.

---

Checklist for the next 30 / 60 / 90 days​

• 0–30 days:
• Patch all domain controllers with updates from January 13, 2026 or later.
• Begin centralizing Kerberos events and run the MS helper scripts for a first pass inventory.
• 30–60 days:
• Triage and remediate high‑risk accounts (SPNs, wide privileges).
• Engage vendors for firmware/patch timelines for appliances and embedded devices.
• 60–90 days:
• Run enforcement simulation on a test OU or lab domain controllers (RC4DefaultDisablementPhase = 2).
• Finalize remediation and prepare to accept April changes in production; plan to remove audit bypasses before July transition.

---

Conclusion​

Microsoft’s removal of RC4 as a default Kerberos encryption type is a long‑overdue, pragmatic step to reduce credential exposure and raise the cost of offline attacks like Kerberoasting. The staged timeline (January 13, 2026 audit rollout; April 2026 AES‑only defaults for DDSET; July 2026 final enforcement) gives administrators a finite runway to discover, remediate, and test changes — but it is a real deadline, not a vague recommendation.
Treat this as an identity‑centric modernization project: inventory Kerberos usage now, prioritize service accounts and third‑party devices, patch domain controllers immediately, and only use explicit RC4 exceptions as tightly controlled, documented stopgaps. The preservation of operational continuity while removing a cryptographic liability is achievable — but only if teams act with disciplined discovery, remediation, and testing over the months ahead.

---

Source: Petri IT Knowledgebase Microsoft Phases Out RC4 in Kerberos to Boost Security