VMware Cloud Community
fdaille
Contributor
Contributor
‎01-11-2023 02:43 AM

Change vCenter RC4 Kerberos tickets to AES

Hello,

I noticed that vCenter was using Kerberos RC4 tickets for authentication with Active Directory accounts. Having discovered that RC4 is a protocol to avoid, do you know how to force vCenter to use AES-128 or AES-254 Kerberos tickets? Thanks in advance.

Here is my installation:
- vCenter 7.0.3
- ESXi 7.0 U3g
- App Volumes 4 (2209)
- Horizon 8 (2209)

Sincerely,

Preview file
25 KB
0 Kudos
9 Replies
fdaille
Contributor
Contributor
‎02-06-2023 06:48 AM

Resolved : you only need to change the identity source type to Active Directory over LDAP. That seems logical... 🙂

0 Kudos
wboaz
Enthusiast
Enthusiast
‎02-20-2023 04:22 PM

This is incorrect. Event 5840 still occurs after moving to secure LDAP.
The Netlogon service created a secure channel with a client with RC4. Account Name: XXXXXXXXXX

 

0 Kudos
DMBMC
Contributor
Contributor
‎04-10-2023 03:09 PM

Has anyone found the REAL fix for this yet?

0 Kudos
memaad
Virtuoso
Virtuoso
‎04-10-2023 10:09 PM

I hope this KB will help you https://kb.vmware.com/s/article/90227

Mohammed | Mark it as helpful or correct if my suggestion is useful.
0 Kudos
LazySysAdmin
Contributor
Contributor
‎04-24-2023 07:30 AM

I had finally stopped vCenter from using RC4 a few months back...after I applied the update v7 Update 3i, RC4 has come back again. 😞

 

0 Kudos
Lalegre
Virtuoso
Virtuoso
‎04-24-2023 08:14 AM

@wboaz,

Could be possible that after switching to AD over LDAP, you still have the vCenter computer object created?

0 Kudos
wboaz
Enthusiast
Enthusiast
‎04-24-2023 09:09 AM

We ended up turning off legacy AD and removed the vcenter from AD. 

We then set up secure LDAP (LDAPS) and set the binding service account to have the msDS-SupportedEncryptionTypes attribute set to a decimal value of 28 (hex 0x1C). Now I can see AES256 connections in Event Viewer.

Roy788
Contributor
Contributor
‎07-31-2023 02:39 AM

Hello fdaille,

So to summarize, you say the only action to do is to change in the vcenter Identity Provider, the identity  source to

Active Directory over LDAP

instead of Active Directory (integrated Windows Authentification)

 

And then all connections to vcenter will use AES 128 or 256 encryption.

That's right?

 

You did no modification to the msDS-SupportedEncryptionTypes attribut of the vcenter object in the AD?

Preview file
40 KB
0 Kudos
Tapas124
Contributor
Contributor
‎08-02-2023 02:00 AM

I guess this will help :: https://kb.vmware.com/s/article/90227

This November patch impacted the way how authentication works . 

Reference : https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-aut... 

I know it's an old thread but just adding this for reference.

tmahanta
0 Kudos