https://communities.vmware.com/t5/VMware-vSphere-Discussions/Vsphere-7-RC4-warning-on-Domain-Controllers/m-p/2984737#M45985 <P>I'm late to party.&nbsp; What a cluster.&nbsp; Wish Microsoft would put more effort toward simplified OS administration rather than the next O365 feature I don't care about...</P><P><A href="https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351" target="_blank" rel="noopener">https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351</A></P><P><A href="https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d" target="_blank" rel="noopener">https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d</A></P><P><A href="https://github.com/takondo/11Bchecker" target="_blank" rel="noopener">https://github.com/takondo/11Bchecker</A></P><P>I need to test / verify in a lab first.</P><P>(May correct me if I'm wrong) - But the to the point summary is if you are certain your AD environment doesn't need RC4 then Microsoft recommendation is to:</P><P>Current Server Update</P><P>Default DC GPO&nbsp; --&gt;&nbsp;&nbsp;Configure encryption types allowed for Kerberos' policy --&gt; only enable AES</P><P>(Each DC) - HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC</P><P>REG_DWORD = DefaultDomainSupportedEncTypes</P><P>Value = 0x38</P><P>With this setup only AES for tickets + sessions and the "msDS-SupportedEncryptionTypes" attribute with null values will no longer need to be specified.&nbsp; (And will then fail authentication for object using Kerberos RC4)</P> Wed, 30 Aug 2023 22:16:26 GMT SayNo2HyperV 2023-08-30T22:16:26Z https://communities.vmware.com/t5/VMware-vSphere-Discussions/Vsphere-7-RC4-warning-on-Domain-Controllers/m-p/2984700#M45984 <P>With VC AD integrated our DCs are logging:</P><P>Netlogon 5840<BR /><SPAN>The Netlogon service created a secure channel with a client with RC4.<BR /></SPAN>Account Name: VC$<BR />Domain: mydomain.local<BR />Account Type: Domain Member<BR />Client IP Address:<BR />Negotiated Flags: 6007ffff<BR />For more information about why this was logged, please visit <A href="https://go.microsoft.com/fwlink/?linkid=2209514" target="_blank">https://go.microsoft.com/fwlink/?linkid=2209514</A>.</P><P><A href="https://kb.vmware.com/s/article/90227" target="_blank">https://kb.vmware.com/s/article/90227</A><BR /><A href="https://communities.vmware.com/t5/VMware-vCenter-Discussions/Change-vCenter-RC4-Kerberos-tickets-to-AES/td-p/2948035" target="_blank">https://communities.vmware.com/t5/VMware-vCenter-Discussions/Change-vCenter-RC4-Kerberos-tickets-to-AES/td-p/2948035</A><BR /><BR /></P><P>I've made the change yesterday to&nbsp;<SPAN>msDS-SupportedEncryptionTypes = 24<BR />But still getting log warning every ~6 hours.&nbsp; How to disable RC4 from being used?</SPAN></P> Wed, 30 Aug 2023 18:19:39 GMT https://communities.vmware.com/t5/VMware-vSphere-Discussions/Vsphere-7-RC4-warning-on-Domain-Controllers/m-p/2984700#M45984 SayNo2HyperV 2023-08-30T18:19:39Z https://communities.vmware.com/t5/VMware-vSphere-Discussions/Vsphere-7-RC4-warning-on-Domain-Controllers/m-p/2984737#M45985 <P>I'm late to party.&nbsp; What a cluster.&nbsp; Wish Microsoft would put more effort toward simplified OS administration rather than the next O365 feature I don't care about...</P><P><A href="https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351" target="_blank" rel="noopener">https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351</A></P><P><A href="https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d" target="_blank" rel="noopener">https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d</A></P><P><A href="https://github.com/takondo/11Bchecker" target="_blank" rel="noopener">https://github.com/takondo/11Bchecker</A></P><P>I need to test / verify in a lab first.</P><P>(May correct me if I'm wrong) - But the to the point summary is if you are certain your AD environment doesn't need RC4 then Microsoft recommendation is to:</P><P>Current Server Update</P><P>Default DC GPO&nbsp; --&gt;&nbsp;&nbsp;Configure encryption types allowed for Kerberos' policy --&gt; only enable AES</P><P>(Each DC) - HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC</P><P>REG_DWORD = DefaultDomainSupportedEncTypes</P><P>Value = 0x38</P><P>With this setup only AES for tickets + sessions and the "msDS-SupportedEncryptionTypes" attribute with null values will no longer need to be specified.&nbsp; (And will then fail authentication for object using Kerberos RC4)</P> Wed, 30 Aug 2023 22:16:26 GMT https://communities.vmware.com/t5/VMware-vSphere-Discussions/Vsphere-7-RC4-warning-on-Domain-Controllers/m-p/2984737#M45985 SayNo2HyperV 2023-08-30T22:16:26Z