manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833

Question

manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833

SAGA 45

Hello All,

We came to know there is a enforcement comes for the rc4 kerberos , and AES will be enforced form April. We noticed if we create the registry key RC4DefaultDisablementPhase. it will postpone the till july and wont disable rc4. but his registry key require reboot and we have more domain controllers and downtime window is not there now. So if we deplyo the key now and when the april patch is pushed and rebooted will the registry key takes effect or it wont?

Also after the audit review how the apps team will mitigate from their end?

0 comments

2 answers

Your answer

Answer 1

Harry Phan 17,200 Independent Advisor

Hi SAGA,

Yes, if you set the RC4DefaultDisablementPhase registry key before April, it will still take effect after the April patch once the domain controller is rebooted. The enforcement only applies after restart, so the key will successfully postpone RC4 disablement until July. The key must be placed under HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters and present before the patch is applied.

For the applications side, mitigation means they must stop relying on RC4 and move to AES. That requires updating service accounts and applications so their Kerberos accounts have msDS-SupportedEncryptionTypes set to include AES128 and AES256. Legacy systems or appliances that cannot negotiate AES will need vendor updates or reconfiguration. In short, your registry key buys time until July, but the apps team must ensure Kerberos tickets are issued with AES before the grace period ends.

Reference link: https://support.microsoft.com/en-us/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc

I hope you found something helpful here. If it does help to explain your question, please accept the answer, or give it a thump up to encourage my contribution. Thank you.

Harry.

SAGA 45 Reputation points

2026-03-26T10:27:09.96+00:00

one final question, If there are legacy applications and app owners are not aware how to mitigate from their end. Can we set the attribute msDS-SupportedEncryptionTypes to use DES only and test it if that works hope it will be the solution.
Harry Phan 17,200 Reputation points Independent Advisor

2026-03-26T10:36:01.1233333+00:00

No, setting msDS-SupportedEncryptionTypes to DES is not a viable mitigation. DES has been deprecated for years, is considered cryptographically broken, and Microsoft explicitly advises against enabling it. Even if you force the attribute to DES, modern domain controllers will reject it unless you’ve manually re-enabled DES support, which is strongly discouraged and not a supported long-term path. The only correct mitigation is to configure accounts to support AES (0x18 for AES128 + AES256) and ensure applications can negotiate those ciphers. If a legacy application cannot handle AES, the app team must work with the vendor for updates or redesign, because relying on DES or RC4 is not acceptable and will eventually fail once enforcement is complete. In short, testing with DES will not provide a sustainable solution and should be avoided.
SAGA 45 Reputation points

2026-03-26T10:51:28.95+00:00

Thanks for the response , My bad it was a typo error instead of AES, plan is to set 0x18 which supports AES 128 and 256. I am clear now thanks for your help and time appreciate it
Harry Phan 17,200 Reputation points Independent Advisor

2026-03-26T13:38:45.2766667+00:00

Happy to know my support is helpful to you. An upvote would be appreciated! Thanks!

Answer 2

The RC4DefaultDisablementPhase registry value is only read by the KDC service after the January 13, 2026 (or later) updates are installed and the domain controller is restarted. A restart is required for the setting to take effect.

Behavior from the documentation:

The registry key is introduced and used to gate the deployment of the Kerberos changes after the January 13, 2026 updates are installed.
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
Value name: RC4DefaultDisablementPhase (REG_DWORD)
Values:
- 0 – No audit, no change
- 1 – Warning events logged on default RC4 usage (Phase 1 default)
- 2 – Kerberos assumes RC4 is not enabled by default (Phase 2 default)
“Restart required? Yes” – the KDC must be restarted (normally via OS reboot) for any change to this value to apply.

Given that:

If the registry value is deployed now but the domain controllers are not restarted, the setting will not be active yet.
When the April update is later installed and the domain controller is then rebooted, the KDC will read the existing RC4DefaultDisablementPhase value at that time.
Therefore, if RC4DefaultDisablementPhase is already set (for example, to 1) before the first reboot after the April update, that configured value will take effect after that reboot and will control behavior instead of the default phase for that DC.

So, deploying the registry key in advance is effective as long as the value is present before the first reboot after installing the April (or later) updates. The behavior (including postponing enforcement as documented for the configured phase) will begin only after that reboot when the KDC reads the key.

References:

How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833

Share via

manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833

2 answers

Your answer