question

JosephTarbit-3060 avatar image
0 Votes"
JosephTarbit-3060 asked JosephTarbit-3060 answered

Server 2019 DC - Kerberos RC4 Authentication

We have recently updated our DCs from Windows Server 2016 to Windows Server 2019 and all our legacy systems (Windows XP + Windows 2000) are no longer able to login and retrieve group policies. It's been suggested in quite a few forums, in particular https://social.technet.microsoft.com/Forums/ie/en-US/7420a288-7111-458a-bf32-efad80d5e5e5/server-2019-dc-kerberos-rc4-authentication?forum=ws2019 that the issue is due to Windows Server 2019 lacking RC4 support for Kerberos authentication. It hasn't been listed on any official documentation that WS 2019 doesn't support it, yet I've tried all the methods outlined in the forum I linked above but to no avail.

Any assistance would be greatly appreciated.
(And yes I know RC4 is more insecure and that we should upgrade our legacy systems, this is in the pipeline but we need a solution in the mean time)

windows-active-directorywindows-server-2019
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JosephTarbit-3060 avatar image
0 Votes"
JosephTarbit-3060 answered

I have fixed the problem. It seems that although I had selected RC4_HMAC_MD5 in "Network security: Configure encryption types allowed for Kerberos", I had to deselect all other encryption types in order for it to actually work. Not sure if that's intended behaviour but it fixed my problem.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Not sure what is meant. Windows XP is officially no longer supported. The only solution is to keep the older domain controllers until you can upgrade the desktops.
https://docs.microsoft.com/en-us/lifecycle/products/windows-xp

--please don't forget to Accept as answer if the reply is helpful--





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered JosephTarbit-3060 commented

Hi,

You can check if there are any policies defined for the Supported Kerberos Encryption Types.
If not policies defined , you can check the attribute for the DC If the RC4 is supported:
78498-3172.jpg

More details for your reference:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

Since there is no longer support for the Windows XP + Windows 2000 ,there also is no patching or testing for XP scenarios.
More unexpected incompatibilities may occur .
It is suggested to upgrade the old clients.

Best Regards,


3172.jpg (108.1 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you suggesting that I might be able to enable the RC4 cipher via that attribute on the DC?

0 Votes 0 ·

I’ve just checked and it seems RC4 is already there. Is there a way of verifying if it is actually enabled? In addition, is there a way of debugging Kerberos authentication in a more detailed manner because event viewer seems to provide very generic logs which aren’t much help.

0 Votes 0 ·