NewsSecurityInfrastructure

Kerberos RC4 Deprecation: Final Phase Hits July 14 — Act Now

Windows Active Directory padlock with RC4 being replaced by AES encryption key — Kerberos RC4 deprecation final phase July 2026
Microsoft's Kerberos RC4 deprecation reaches final enforcement on July 14, 2026

July 14 is the hard deadline. Microsoft’s three-phase Kerberos RC4 deprecation reaches its final stage with this month’s Patch Tuesday — and unlike the previous two phases, there is no rollback. No more audit mode. No registry key to flip. Any Windows environment still relying on RC4 encryption for Kerberos authentication will start seeing silent authentication failures on Monday. The audit window opened in January. The enforcement window opened in April. The exit closes July 14.

Three Phases, One Direction

Microsoft has been telegraphing this for over a year. The RC4 deprecation rollout under CVE-2026-20833 followed a deliberate three-step schedule:

  • January 2026 (Audit Mode): Domain controllers started logging KDCSVC events 201–209 in the System log, flagging every RC4-dependent authentication request.
  • April 2026 (Enforcement): RC4 disabled by default. Accounts without explicit msDS-SupportedEncryptionTypes settings started failing unless domain defaults still permitted it.
  • July 14, 2026 (Final): Audit mode removed. The RC4DefaultDisablementPhase registry key is ignored by updated domain controllers. RC4 is gone as an implicit fallback.

One nuance: RC4 still functions if an account explicitly declares it in msDS-SupportedEncryptionTypes. The silent “if nothing is configured, use RC4” behavior that has quietly kept aging environments alive is what disappears on July 14.

Why RC4 Needed to Die

RC4 is a stream cipher designed in 1987. The specific threat is Kerberoasting: an authenticated attacker requests a service ticket for any account with a Service Principal Name (SPN), and the KDC hands back a ticket encrypted with RC4. The attacker takes that ticket offline, and with modern GPU-based tooling running north of 100 billion guesses per second, cracks it. No network interaction after the initial request. No alerts. Just credentials.

AES-encrypted tickets do not crack like that. The migration closes an entire attack class — not just a theoretical one. Kerberoasting has been a standard entry in every red team playbook for years.

What Breaks on July 14

The dangerous scenario is not the accounts explicitly configured for RC4 — those are at least visible. The dangerous scenario is accounts with a blank msDS-SupportedEncryptionTypes attribute (null or decimal 0). Those accounts have been silently receiving RC4 tickets for years via domain defaults. After July 14, they fail.

  • Service accounts with msDS-SupportedEncryptionTypes = null, 0x0, 0x4 (RC4 only), or 0x7 (DES + RC4)
  • SMB share access to servers whose computer accounts lack AES keys
  • WMI and PowerShell remoting (New-PSSession) returning error 0x80090342
  • Java applications with default_tkt_enctypes = rc4-hmac in krb5.ini
  • Service accounts whose passwords were never reset after Windows Server 2008 DFL

How to Detect Exposure Now

Microsoft published two PowerShell scripts in the official Kerberos-Crypto GitHub repositoryList-AccountKeys.ps1 and Get-KerbEncryptionUsage.ps1 — that query the Security Event Log on domain controllers. Run this on a DC:

.\Get-KerbEncryptionUsage.ps1 -Encryption RC4

Any results mean active RC4 usage. Check Security Event IDs 4768 (TGT requests) and 4769 (service ticket requests) — Ticket Encryption Type 0x17 = RC4. KDCSVC events 201–209 in the System log are your pre-enforcement warnings. For a broader sweep, the open-source RC4-ADAssessment toolkit covers domain controllers, trusts, KRBTGT, and service accounts in a single pass.

The Fix — And the Gotcha Most Guides Miss

The remediation has two required steps. Most documentation covers the first and skips the second.

Step 1: Set the encryption type attribute

Set-ADUser 'your-service-account' -Replace @{'msDS-SupportedEncryptionTypes'=0x18}

Value 0x18 (decimal 24) enables AES128 and AES256 while excluding RC4 and DES.

Step 2: Reset the password (mandatory)

Setting the attribute alone is not enough. AES keys are generated when a password is set against a domain at functional level 2008 or higher. An account whose password has never been reset in the modern era does not have AES key material in the AD database — regardless of what msDS-SupportedEncryptionTypes says. Reset the password after setting the attribute.

For Java applications, update krb5.ini:

# Replace rc4-hmac references:
default_tkt_enctypes = aes256-cts aes128-cts
default_tgs_enctypes = aes256-cts aes128-cts
permitted_enctypes   = aes256-cts aes128-cts

For domain-wide enforcement on domain controllers via the KDC registry key:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\KDC' `
  -Name DefaultDomainSupportedEncTypes -Value 0x18

Act Before Monday

If you have been running in enforcement mode since April without failures, you may already be clean. Confirm by checking KDCSVC events 203 and 204 (blocked RC4 attempts) in your System log — absence is a good sign. If you have not checked since January, run the Microsoft scripts now.

The Microsoft Learn guide on detecting and remediating RC4 Kerberos usage has the full remediation playbook including GPO-based enforcement steps and the complete KDCSVC event reference table.

RC4 had a long run. Thirty-nine years is generous for any cipher. It is time.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News