Re: Vsphere 7 RC4 warning on Domain Controllers

SayNo2HyperV · ‎08-30-2023

I'm late to party. What a cluster. Wish Microsoft would put more effort toward simplified OS administration rather than the next O365 feature I don't care about...

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-aut...

https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-rela...

https://github.com/takondo/11Bchecker

I need to test / verify in a lab first.

(May correct me if I'm wrong) - But the to the point summary is if you are certain your AD environment doesn't need RC4 then Microsoft recommendation is to:

Current Server Update

Default DC GPO --> Configure encryption types allowed for Kerberos' policy --> only enable AES

(Each DC) - HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC

REG_DWORD = DefaultDomainSupportedEncTypes

Value = 0x38

With this setup only AES for tickets + sessions and the "msDS-SupportedEncryptionTypes" attribute with null values will no longer need to be specified. (And will then fail authentication for object using Kerberos RC4)