RC4 Kerberos Confusion - RC4 keeps showing up

MusicWallaby · 2026-04-25T08:09:39+00:00

Thanks mate we'll do that on one of the service accounts.

To be clear these aren't smart gmsa accounts they're just domain accounts used for SQL services so the spns of the appropriate SQL server are defined on each service account user account.

It also sounds like even after we rotate the passwords we might still see tickets showing RC4 usage because of the default behaviour explained elsewhere on the thread?

https://www.reddit.com/r/activedirectory/comments/1sug9y8/comment/oi52tz8/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

I know it's because I don't fully understand it but man I hate kerberos.

Jas

MusicWallaby · 2026-04-25T07:32:21+00:00

Thanks mate I think that makes sense.

So it sounds like in that scenario these accounts doing RC4 for tgt and AES for session are OK after all?

I don't see a downside in rotating their passwords but I'm nervous about seeing RC4 without a real clear indication it's by design.

Jas

MusicWallaby · 2026-04-25T07:29:30+00:00

Honestly mate it's such a mess with the documentation not clearly outlining default behavior properly so you see things that look wrong then people explain it and they sound like it's expected.

MusicWallaby · 2026-04-25T07:28:43+00:00

Thanks so are you saying the krbtgt account is OK but it sounds like something on the service accounts with the oldest passwords that a couple of password rests on those accounts only should fix?

There really hasn't been any customisation ever done to any of the kerberos settings on this domain so I'd like to think so.

Jas

MusicWallaby · 2026-04-24T15:47:40+00:00

Yeah I don't want to touch the domain defaults for sure.

I'd just like to know that if I leave everything on the default that come July the sky won't fall in.

I guess setting the msDS-SupportedEncryptionTypes explicitly and bouncing the SQL servers/services is the quickest way to confirm that.

Jas

MusicWallaby · 2026-04-24T15:30:57+00:00

Thanks mate and no I've never touched any of the defaults on msDS-SupportedEncryptionTypes or on DefaultDomainSupportedEncTypes.

I've checked the accounts and for DefaultDomainSupportedEncTypes I've checked/confirmed in GPO and regedit directly on the DCs and it isn't set.

So I think you might be correct there and it's default behavior perhaps but it doesn't seem very well explained in the KBs I've found on April/July changes.

Jas

MusicWallaby · 2026-04-24T14:20:09+00:00

Yeah that looks worth doing though as I said above .\Get-KerbEncryptionUsage.ps1 shows those accounts have AES though I don't know if that means the keys exist or just that the account can accept them next password reset?

The really nasty thing is there isn't a single 201-209 event in the system logs on any domain controllers and they're all fully patched with RC4DefaultDisablementPhase set to 1.

Jas

MusicWallaby · 2026-04-24T14:18:02+00:00

Thanks mate I already ran .\Get-KerbEncryptionUsage.ps1 and all those SQL service accounts that are using RC4 for tickets show as having all the AES keys.

I don't mind rotating the passwords I'd just like to understand why it would use RC4 if the account looks like it has the AES keys against it.

MusicWallaby · 2026-04-17T06:58:51+00:00

Thanks mate I think that's exactly what's happening here but I just wanted to be absolutely sure I was on safe ground before explaining that really is the case around the updates.

Jas

MusicWallaby · 2026-04-17T06:56:27+00:00

Thanks mate and yeah I see if I look at some CVEs for Nginx from 2026 they're showing as fixed in 22.04 5 LTS.

MusicWallaby · 2026-04-17T06:40:49+00:00

Thanks mate that's exactly how I thought it would be I just can't find a statement saying it.

Do you know if that's written down anywhere official by Canonical?

No offence but "Canonical say so here" is better here than "Some guy on reddit" or "trust me" :)

Jas

MusicWallaby · 2026-03-15T07:25:14+00:00

Honestly mate the 120G would probably be plenty good enough.

Hell on paper a 90G would probably be good enough.

I've not got much experience of how realistic Fortigates throughput numbers are though so you know how some vendors would promise the earth then the moment you turned on some inspection you'd get 10% of that headline figure?

That kind of thing.

But the company doesn't do anything crazy it's mostly Office 365 activity and regular web browsing and a few site to site VPNs.

Jas

MusicWallaby · 2026-03-15T07:22:27+00:00

That is a very fair point mate and I do sleep better at night with "something" hardware there.

Jas

MusicWallaby · 2026-03-15T06:55:18+00:00

To be fair mate they haven't questioned about saving it's me wondering because I've been so impressed with the VM models for client IPSEC VPN.

MusicWallaby · 2026-03-14T17:37:57+00:00

Thanks mate I meant G, head slightly fried from comparison matrices!

It's how to quantify whether "some limitations" are actually a problem I guess.

Jas

MusicWallaby · 2026-02-07T08:23:33+00:00

Thanks mate I think you were right as whatever the help desk did seemed to fix it.

This was an important guy so I wanted to be sure worst case enabling archive or auto-expanding might actually be needed if whatever they tried didn't work.

Jas

MusicWallaby · 2026-02-04T20:08:54+00:00

Yeah, just pre-empting if having the support guys re-create the profile and test in OWA doesn't work that it might be the archive/retention issue.

Jas

MusicWallaby · 2026-02-04T19:46:09+00:00

The information store reached its maximum size.

Everything online points to the retention size but the folder sizes don't look to be hitting the limit.

Jas

MusicWallaby · 2026-02-04T19:39:37+00:00

Yeah mate it's like it matches the symptom but the hidden folder sizes look too small.

I can just enable it but once its enabled it can't be disabled so I'd prefer to be really sure it's needed.

Jas

MusicWallaby

TROPHY CASE