Hello,
I noticed that vCenter was using Kerberos RC4 tickets for authentication with Active Directory accounts. Having discovered that RC4 is a protocol to avoid, do you know how to force vCenter to use AES-128 or AES-254 Kerberos tickets? Thanks in advance.
Here is my installation:
- vCenter 7.0.3
- ESXi 7.0 U3g
- App Volumes 4 (2209)
- Horizon 8 (2209)
Sincerely,
Resolved : you only need to change the identity source type to Active Directory over LDAP. That seems logical... 🙂
This is incorrect. Event 5840 still occurs after moving to secure LDAP.
The Netlogon service created a secure channel with a client with RC4. Account Name: XXXXXXXXXX
Has anyone found the REAL fix for this yet?
I hope this KB will help you https://kb.vmware.com/s/article/90227
I had finally stopped vCenter from using RC4 a few months back...after I applied the update v7 Update 3i, RC4 has come back again. 😞
Could be possible that after switching to AD over LDAP, you still have the vCenter computer object created?
We ended up turning off legacy AD and removed the vcenter from AD.
We then set up secure LDAP (LDAPS) and set the binding service account to have the msDS-SupportedEncryptionTypes attribute set to a decimal value of 28 (hex 0x1C). Now I can see AES256 connections in Event Viewer.
Hello fdaille,
So to summarize, you say the only action to do is to change in the vcenter Identity Provider, the identity source to
Active Directory over LDAP
instead of Active Directory (integrated Windows Authentification)
And then all connections to vcenter will use AES 128 or 256 encryption.
That's right?
You did no modification to the msDS-SupportedEncryptionTypes attribut of the vcenter object in the AD?
I guess this will help :: https://kb.vmware.com/s/article/90227
This November patch impacted the way how authentication works .
Reference : https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-aut...
I know it's an old thread but just adding this for reference.