Microsoft
MicrosoftHello!
>So where does Windows Server 2025 now look to see what encryption types it's allowed to use, if not that path?
Kerb3961 reads the Kerberos supported encryption types from the group policy configured registry key instead. The recommended way to write to this registry key is by creating a Network security Configure encryption types allowed for Kerberos - Windows 10 | Microsoft Learn group policy and applying it to the machine in question.
However, if for one reason or another you are unable to leverage the group policy user interface, this is the registry key that the policy ultimately writes to.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
REG_DWORD SupportedEncryptionTypes
That being said, I strongly recommend leveraging group policy if possible for ease of configurability going forward.
Great thanks WillAftring​ for the swift response. Am I right that we need to set that value (preferably via GP as you say) on the DCs to completely disable the use of RC4 anywhere in Kerberos in an AD domain? So that even if a client explicitly requests RC4, the DCs will refuse to issue a ticket as they only support AES?
Microsoft>Am I right that we need to set that value (preferably via GP as you say) on the DCs to completely disable the use of RC4 anywhere in Kerberos in an AD domain?
That is correct. If a KDC cannot issue Kerberos tickets with encryption types it does not support / have enabled.
