Windows Server 2019 AD not correctly negotiating Kerberos encryption type

Joseph Tarbit 111 Reputation points
2021-03-20T10:54:36.983+00:00

I have configured “Network security: Configure encryption types allowed for Kerberos” and selected RC4 along with both AES options however RC4 does not get enabled unless I uncheck every other option apart from RC4. I’m testing this by using a Windows XP client however this obviously affects many other applications that also only support RC4 encryption, including a lot of Linux clients.

I assume what’s going on is Windows is attempting to authenticate using a higher encryption type than what the requesting client support aka even though the server has RC4 enabled, it doesn’t use it unless it’s the only enabled encryption type. It works in Windows Server 2016 however something in 2019 is preventing the correct encryption type from being negotiated.

I’ve tried setting the registry key Kerberos/Parameters/DefaultEncryptionType to RC4 but it doesn’t help.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,397 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,722 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Fan Fan 15,281 Reputation points Microsoft Vendor
    2021-03-22T01:43:15.33+00:00

    Hi,
    Since the Windows XP is not supported ,so i didn't have a environment for test the compatibility issues.
    Also, due to there are not updates and patches for the XP clients, you may have other unexpected compatibility issues.
    Here ,i would suggest you upgrade the cilents.
    Best Regards,