Explanation: This is warning you that RC4 is disabled on at least some DCs. Event ID 16 Description: While processing a TGS request for the target server http/foo.contoso.com, the account admin@contoso.com did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). Good times! If the account does have msds-SupportedEncryptionTypes set, this setting is honored and might expose a failure to have configured a common Kerberos Encryption type masked by the previous behavior of automatically adding RC4 or AES, which is no longer the behavior after installation of updates released on or after November 8, 2022. Adds PAC signatures to the Kerberos PAC buffer. You can leverage the same 11b checker script mentioned above to look for most of these problems. If you have already installed updates released on or after November 8, 2022, you can detect devices which do not have a common Kerberos Encryption type by looking in the Event Log for Microsoft-Windows-Kerberos-Key-Distribution-Center Event 27, which identifies disjoint encryption types between Kerberos clients and remote servers or services. Microsoft's weekend Windows Health Dashboard . It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. Authentication protocols enable authentication of users, computers, and services, making it possible for authorized services and users to access resources in a secure manner. Kerberos replaced the NTLM protocol to be the default authentication protocol for domain connected devices on all Windows versions above Windows 2000.
After installed these updates, the workarounds you put in place are no longer needed. If your security team gives you a baseline image or a GPO that has RC4 disabled, and you havent finished prepping the entire environment to solely support AES, point them to this article. When a problem occurs, you may receive a Microsoft-Windows-Kerberos-Key-Distribution-Center error with Event ID 14 in the System section of the event log on your domain controller. To mitigate this issue, follow the guidance on how to identify vulnerabilities and use the Registry Key setting section to update explicitly set encryption defaults. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. Next StepsIf you are already running the most up-to-date software and firmware for your non-Windows devices and have verified that there is a common Encryption type available between your Windows domain controllersand your non-Windows devices, you will need to contact your device manufacturer (OEM) for help or replace the devices with ones that are compliant. Machines only running Active Directory are not impacted. "After installing KB4586781 on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues," Microsoft explains. If the Users/GMSAs/Computers/Service accounts/Trust objects msDS-SupportedEncryptionTypes attribute was NULL (blank) or a value of 0, the KDC assumes account only supports RC4_HMAC_MD5. 3 -Enforcement mode. The accounts available etypes: