Microsoft
Microsoft
MicrosoftHey Gary,
RC4 encryption is still supported for Service Ticket encryption, however, RC4 Encryption support for the Session Keys (SK) within the Service Tickets is no longer supported.
To help you understand, when you talk about service tickets you have to talk about what is inside a service ticket. Inside a service ticket, you have a session key that is encrypted for use by the end service and the client. They each have a copy of this symmetric key (called a session key). This session key is also encrypted within the Service ticket using an encryption type. After November we do not allow RC4 Session keys to be used any longer. the KDC is only going to generate session keys that are AES256_CTS_HMAC_SHA1_96_SK (Session Key)
Support for AES256_CTS_HMAC_SHA1_96_SK (Session Key) based session keys started with Windows Vista/2008, so any legacy OS prior to this date will not support this encryption type. This is why you are having the issue with Windows Server 2000. The best thing I can tell you is to make your application use NTLM instead of Kerberos if you still need it to work. The simplest way to make that work would be to reference the 2000 server via its IP Address and not its computer name. I cannot tell you how long that will work in the long term either.
https://www.kerberos.org/software/tutorial.html
https://iam.uconn.edu/the-kerberos-protocol-explained/
unfortunately, like some other customers you are running an OS that is more than 20 years old, and no longer supported or tested against. It would be best to migrated off of this solution as soon as possible.