Insights

Kerberos RC4 enforcement:
what changes in Active Directory

·KerberosActive DirectoryRC4Windows ServerCybersecurity
Enforcement14 April 2026
New defaultAES-SHA1 (0x18)
Event IDs201–209 (KDCSVC)

What happened on 14 April 2026

With the April 2026 cumulative update (CVE-2026-20833), Microsoft activated the RC4 deprecation enforcement in Kerberos. In practice, the Active Directory KDC (Key Distribution Center) no longer issues tickets encrypted with RC4 for accounts that do not have an encryption type explicitly configured in the msds-SupportedEncryptionTypes attribute.

The change did not come without warning: the audit phase had been active since 13 January 2026, logging accounts that still used RC4 in the System event log. Those who monitored Event IDs 201–209 (source KDCSVC) had three months to prepare. Those who did not may already have authentication failures in production.

Update, 14 July 2026: enforcement becomes final

The July 2026 Patch Tuesday brings the final enforcement phase of CVE-2026-20833: updated domain controllers no longer honour the registry key RC4DefaultDisablementPhase. The rollback escape that had let you temporarily re-enable RC4 since January 2026 is closed: there is no way back.

The practical impact must be anticipated: after the updated DCs reboot, every service account, appliance, keytab or legacy application still depending on RC4 may start to fail Kerberos authentication — including SQL Server service accounts. If you deferred the migration relying on the registry workaround, this is the week the bill comes due. Anyone who has already moved all accounts to AES will notice nothing.

What breaks

The impact depends on how many objects in the Active Directory domain still lack an explicit encryption type. The most common cases are:

  • Legacy service accounts — accounts created years ago for ERP, CRM or middleware applications, never updated cryptographically. If msds-SupportedEncryptionTypes is missing or set to zero, the KDC rejects the ticket.
  • NAS and storage with RC4 keytabs — network devices (Synology, QNAP and other NAS) using a Kerberos keytab exported with RC4 encryption for domain authentication. Share logins stop working.
  • Non-Windows devices — Linux appliances, network printers and embedded systems that authenticate via Kerberos with keytabs configured for RC4 stop obtaining valid tickets.
  • Legacy applications — software that forces RC4 negotiation in the ticket request or does not support AES. The result is a silent authentication error that can look like a network issue.

How to check the domain status

The check needs to be done on two fronts: KDC logs and account inventory.

1. Event log — on domain controllers, check Event IDs 201–209 in the System log with source KDCSVC. Each event indicates an account that requested or obtained a ticket with RC4 encryption. If enforcement is already active and you see authentication errors, these events are the starting point for identifying the causes.

2. PowerShell query — search Active Directory for all accounts (user and computer) whose msds-SupportedEncryptionTypes attribute is missing, set to zero, or includes the RC4 flag (0x4). These are the accounts that will no longer receive tickets from the KDC after enforcement, unless updated.

How to fix it

Migrating from RC4 to AES is a surgical operation: it must be done account by account, testing authentication after each change. Here are the steps:

  • 1Set msds-SupportedEncryptionTypes — for each service account, configure the attribute to a value that includes AES128 and AES256 (the most common is 0x18, corresponding to AES-SHA1). This tells the KDC to issue AES tickets for that account.
  • 2Re-export keytabs — for non-Windows devices (NAS, Linux appliances), re-export the Kerberos keytab specifying AES encryption type and update it on the device. An RC4 keytab no longer works after enforcement.
  • 3Update applications — verify that software using Kerberos authentication supports AES. For applications that force RC4, contact the vendor for an update or alternative configuration.
  • 4Verify and monitor — after each change, check that authentication works and continue monitoring Event IDs 201–209 on the KDC. The goal is to reach zero RC4 events: from the July 2026 Patch Tuesday the registry workaround is no longer available and enforcement is permanent.

The three waves of Kerberos enforcement

RC4 deprecation is not an isolated event. It is part of a broader Kerberos hardening effort in Active Directory that Microsoft is pursuing on three fronts:

  • 1PAC Validation (CVE-2024-26248 + CVE-2024-29056) — full enforcement since 8 April 2025. The KDC rigorously validates the PAC (Privilege Attribute Certificate) signature, blocking PAC forgery attacks. Already active and permanent.
  • 2RC4 deprecation (CVE-2026-20833) — enforcement since 14 April 2026. The KDC no longer issues RC4 tickets for accounts without explicit encryption. The registry rollback, available since January 2026, was removed with the July 2026 Patch Tuesday: enforcement has been permanent since then.
  • 3Certificate-based authentication (CVE-2025-26647) — strengthens validation of certificates used for Kerberos PKINIT authentication, preventing certificate impersonation attacks. Currently in phased rollout.

The message is clear: Active Directory is becoming more secure, but it requires continuous attention to configuration and monitoring. Domains left “as they are” for years accumulate technical debt that eventually translates into outages.

Migration support

AtWorkStudio has been managing Active Directory infrastructure for SMEs since 2000, from Piacenza, Italy. We hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, with ACN qualification for cloud services. We are members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster.

If your Active Directory domain has not been prepared for RC4 enforcement, we can help with a targeted audit: RC4 account inventory, Event ID analysis on domain controllers, AES migration plan and post-enforcement verification. All without disrupting production.

Sources

  • Microsoft Support KB5073381 — Official article on managing RC4 use in the KDC (CVE-2026-20833), including the enforcement phases up to the final one in July 2026
  • Microsoft Tech Community — Kerberos encryption type enforcement timeline
  • 4sysops — Technical guide to RC4-to-AES migration in Active Directory
  • NVD — CVE-2026-20833, CVE-2024-26248, CVE-2024-29056, CVE-2025-26647

Frequently asked questions

Answers to common questions about RC4 enforcement in Kerberos and migrating to AES.

Is your Active Directory domain ready?

If you have not yet checked RC4 account status, we can run a targeted audit of your Active Directory domain and guide you through the AES migration, with no service disruption.