Notifications
Clear all
Topic starter
06/06/2026 11:15 am
TL;DR: Microsoft’s RC4 deprecation for Kerberos begins with auditing in January 2026, manual rollback in April, and full enforcement in July, making legacy service accounts and unsupported applications the immediate risk, according to Semperis. The real issue is not encryption alone, but the long tail of RC4-only identity dependencies hidden in Active Directory.
NHIMG editorial — based on content published by Semperis: why RC4 is being decommissioned and how to audit for apps that use it
By the numbers:
- Microsoft has announced the deprecation of RC4 encryption beginning in April 2026, with auditing beginning January 2026 and full enforcement in July 2026.
- The query in the article looks back 60 days when searching for RC4-related Kerberos events in Microsoft Sentinel.
Questions worth separating out
Q: How should teams handle RC4-dependent service accounts before Kerberos enforcement changes?
A: Identify every service account, SPN, and scheduled task that still depends on RC4, then confirm where each one is used in production.
Q: Why do old service accounts keep breaking Kerberos encryption migration projects?
A: Because RC4 support in Active Directory is often tied to password history, not just current configuration.
Q: What breaks when Kerberos auditing is not enabled before RC4 deprecation?
A: Teams lose the evidence needed to see which identities still request RC4 tickets, so remediation becomes guesswork.
Practitioner guidance
- Audit Kerberos events for RC4 usage Search event IDs 4768 and 4769 for ticket encryption or session encryption type 0x17, then map each result back to the service account and SPN that still depends on RC4.
- Rebuild legacy service account key material Reset affected service account passwords twice so Active Directory generates AES keys, then verify the account no longer advertises RC4 in supported encryption types.
- Validate log forwarding before enforcement Confirm that Security and System logs are being collected from every domain controller so KDC hardening events and Kerberos ticket events are visible before July 2026.
What's in the full article
Semperis' full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step Sentinel and Splunk queries for finding 0x17 RC4 ticket usage across Security logs.
- Field-by-field interpretation of event IDs 4768 and 4769 for identifying the exact account, SPN, and ticket type involved.
- Domain controller audit policy settings needed to make Kerberos ticket events and KDC hardening warnings visible.
- Remediation table mapping KDC hardening warnings to likely causes and next actions for affected accounts and systems.
👉 Read Semperis' guide to auditing RC4-dependent Kerberos apps before enforcement →
RC4 deprecation in Active Directory: which apps will break?
Explore further
06/06/2026 11:55 am
RC4 deprecation is exposing identity lifecycle debt, not just cryptographic weakness. The article shows that the accounts most likely to fail are legacy service identities whose password history never generated AES keys. That means the real gap is lifecycle visibility, not a missing encryption setting. Practitioners should treat RC4 as a marker for unmanaged identity age and configuration drift.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly identity debt compounds once a service account or token set is exposed.
A question worth separating out:
Q: Who is accountable when RC4 deprecation breaks a business application?
A: Application ownership, directory ownership, and identity governance ownership all share accountability, but the operational fix usually sits with the team that controls the service account and the service restart path. In practice, the accountable team is the one that can trace the dependency, change the encryption setting, and prove the account now supports AES.
👉 Read our full editorial: RC4 deprecation exposes hidden Kerberos app dependencies in AD
