Kerberos RC4 enforcement:
what changes in Active Directory

What happened on 14 April 2026

With the April 2026 cumulative update (CVE-2026-20833), Microsoft activated the RC4 deprecation enforcement in Kerberos. In practice, the Active Directory KDC (Key Distribution Center) no longer issues tickets encrypted with RC4 for accounts that do not have an encryption type explicitly configured in the msds-SupportedEncryptionTypes attribute.

The change did not come without warning: the audit phasehad been active since 13 January 2026, logging accounts that still used RC4 in the System event log. Those who monitored Event IDs 201–209 (source KDCSVC) had three months to prepare. Those who did not may already have authentication failures in production.

What breaks

The impact depends on how many objects in the Active Directory domain still lack an explicit encryption type. The most common cases are:

• Legacy service accounts— accounts created years ago for ERP, CRM or middleware applications, never updated cryptographically. If msds-SupportedEncryptionTypes is missing or set to zero, the KDC rejects the ticket.
• NAS and storage with RC4 keytabs— network devices (Synology, QNAP and other NAS) using a Kerberos keytab exported with RC4 encryption for domain authentication. Share logins stop working.
• Non-Windows devices— Linux appliances, network printers and embedded systems that authenticate via Kerberos with keytabs configured for RC4 stop obtaining valid tickets.
• Legacy applications— software that forces RC4 negotiation in the ticket request or does not support AES. The result is a silent authentication error that can look like a network issue.

How to check the domain status

The check needs to be done on two fronts: KDC logs and account inventory.

1. Event log— on domain controllers, check Event IDs 201–209 in the System log with source KDCSVC. Each event indicates an account that requested or obtained a ticket with RC4 encryption. If enforcement is already active and you see authentication errors, these events are the starting point for identifying the causes.

2. PowerShell query— search Active Directory for all accounts (user and computer) whose msds-SupportedEncryptionTypes attribute is missing, set to zero, or includes the RC4 flag (0x4). These are the accounts that will no longer receive tickets from the KDC after enforcement, unless updated.

How to fix it

Migrating from RC4 to AES is a surgical operation: it must be done account by account, testing authentication after each change. Here are the steps:

• 1Set msds-SupportedEncryptionTypes— for each service account, configure the attribute to a value that includes AES128 and AES256 (the most common is 0x18, corresponding to AES-SHA1). This tells the KDC to issue AES tickets for that account.
• 2Re-export keytabs— for non-Windows devices (NAS, Linux appliances), re-export the Kerberos keytab specifying AES encryption type and update it on the device. An RC4 keytab no longer works after enforcement.
• 3Update applications— verify that software using Kerberos authentication supports AES. For applications that force RC4, contact the vendor for an update or alternative configuration.
• 4Verify and monitor— after each change, check that authentication works and continue monitoring Event IDs 201–209 on the KDC. The goal is to reach zero RC4 events before the permanent removal of the registry workaround scheduled for July 2026.

The three waves of Kerberos enforcement

RC4 deprecation is not an isolated event. It is part of a broader Kerberos hardening effort in Active Directory that Microsoft is pursuing on three fronts:

• 1PAC Validation (CVE-2024-26248 + CVE-2024-29056)— full enforcement since 8 April 2025. The KDC rigorously validates the PAC (Privilege Attribute Certificate) signature, blocking PAC forgery attacks. Already active and permanent.
• 2RC4 deprecation (CVE-2026-20833)— enforcement since 14 April 2026. The KDC no longer issues RC4 tickets for accounts without explicit encryption. Rollback possible via registry until July 2026, then permanent.
• 3Certificate-based authentication (CVE-2025-26647)— strengthens validation of certificates used for Kerberos PKINIT authentication, preventing certificate impersonation attacks. Currently in phased rollout.

The message is clear: Active Directory is becoming more secure, but it requires continuous attention to configuration and monitoring. Domains left “as they are” for years accumulate technical debt that eventually translates into outages.

Migration support

AtWorkStudio has been managing Active Directory infrastructure for SMEs since 2000, from Piacenza, Italy. We hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, with ACN qualification for cloud services. We are members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster.

If your Active Directory domain has not been prepared for RC4 enforcement, we can help with a targeted audit: RC4 account inventory, Event ID analysis on domain controllers, AES migration plan and post-enforcement verification. All without disrupting production.