Microsoft announced it will deprecate RC4 encryption in Kerberos for Windows authentication by mid-2026. This change will affect Windows Server 2008 and later, transitioning the default setting to AES-SHA1.
Transition to AES-SHA1
Domain controllers on Windows Server, starting with 2008, will switch the default encryption in the Kerberos Key Distribution Center (KDC) to AES-SHA1 protocols: AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96. Although RC4 will be disabled by default, it will remain an option if explicitly configured. This shift is aimed at enhancing security against evolving threats.
Security Tools and Guidance
Windows Server versions from 2019 onward feature new Security Event Log fields. These include msds-SupportedEncryptionTypes, Available Keys, and Session Encryption Type, which assist in identifying accounts or clients relying solely on RC4.
Microsoft provides PowerShell scripts, List-AccountKeys.ps1 and Get-KerbEncryptionUsage.ps1, to assess encryption types and detect remaining RC4 usage. Administrators are encouraged to reset passwords on accounts with RC4 keys to generate AES keys. Accounts lacking AES-SHA1 support need their attributes updated accordingly.
Implementation and Compliance
Organizations should ensure devices support AES to align with security baselines for Windows Server 2025. The Windows Admin Center offers tools to configure and audit allowed Kerberos encryption types, where compliant policies will exclude RC4.
By adopting AES-SHA1, Microsoft aims to bolster authentication security across its Windows ecosystem, preparing organizations for the upcoming default change through comprehensive detection and mitigation strategies.
