question

DipakShinde-1318 avatar image
0 Votes"
DipakShinde-1318 asked Thameur-BOURBITA answered

If we disable RC4 encryption in GPO Domain Level, it is not allowing users to login

If we disable RC4 encryption in GPO Domain Level, it is not allowing users to login.

Issue: Old AD, RC4 encryption is there, client reported stating it is weak and to switch to AES.

We enabled AES encryption >> tested >> all normal.

We disabled RC4 encryption >> we couldn't connect back to environment (we use Client's Citrix for RDP), we were unable to connect. Reverted GPO settings, enabled RC4, and we were able to login.

How to disable RC4 safely without any issue for user login.

Please assist.

windows-active-directorywindows-server-2016
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @DipakShinde-1318,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @DipakShinde-1318,

Thank you for posting here.

Before disabling RC4, please make sure to disable RC4 when it is no longer in use, otherwise it may affect the work of the environment.

Based on the description "We disabled RC4 encryption >> we couldn't connect back to environment (we use Client's Citrix for RDP), we were unable to connect. Reverted GPO settings, enabled RC4, and we were able to login.",

Here are my suggestions:
There may be several aspects involved in this login process: client endpoint, remote endpoint, domain controller endpoint and Citrix endpoint. I’m not sure which endpoint or multiple endpoints only support RC4, but not support strong encryption (such as AES), so you need to check and confirm it, and then if you check it out, it is recommended to set strong encryption (such as AES) in all endpoints , in this case, even if weak encryption (RC4) is disabled, they all support strong encryption, so that you can log in successfully.

Tips:
1.You can capture network package or other methods to check.
2.I am sorry, because private information and security information may be involved, the forum does not collect or analyze logs.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi,

Before disable RC4 , you should check that all operating system and applications support AES.
You have also enable AES on trust relationship between two domains and all service accounts with SPN used to setup a service for kerberos authentication.
If you have a keytab file check if it supports AES , if it's not the case you have to generate new one with AES.

Some best practise to enable AES and Disable RC4

Please don't forget to mark helpful reply as answer


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.