SayNo2HyperV
Enthusiast
Enthusiast
‎08-30-2023 11:19 AM

Vsphere 7 RC4 warning on Domain Controllers

With VC AD integrated our DCs are logging:

Netlogon 5840
The Netlogon service created a secure channel with a client with RC4.
Account Name: VC$
Domain: mydomain.local
Account Type: Domain Member
Client IP Address:
Negotiated Flags: 6007ffff
For more information about why this was logged, please visit https://go.microsoft.com/fwlink/?linkid=2209514.

https://kb.vmware.com/s/article/90227
https://communities.vmware.com/t5/VMware-vCenter-Discussions/Change-vCenter-RC4-Kerberos-tickets-to-...

I've made the change yesterday to msDS-SupportedEncryptionTypes = 24
But still getting log warning every ~6 hours.  How to disable RC4 from being used?

Reply
0 Kudos
SayNo2HyperV
Enthusiast
Enthusiast
‎08-30-2023 03:07 PM

I'm late to party.  What a cluster.  Wish Microsoft would put more effort toward simplified OS administration rather than the next O365 feature I don't care about...

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-aut...

https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-rela...

https://github.com/takondo/11Bchecker

I need to test / verify in a lab first.

(May correct me if I'm wrong) - But the to the point summary is if you are certain your AD environment doesn't need RC4 then Microsoft recommendation is to:

Current Server Update

Default DC GPO  -->  Configure encryption types allowed for Kerberos' policy --> only enable AES

(Each DC) - HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC

REG_DWORD = DefaultDomainSupportedEncTypes

Value = 0x38

With this setup only AES for tickets + sessions and the "msDS-SupportedEncryptionTypes" attribute with null values will no longer need to be specified.  (And will then fail authentication for object using Kerberos RC4)

Reply
0 Kudos