Blog Post

Core Infrastructure and Security Blog

9 MIN READ

Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos

Microsoft

Apr 15, 2024

Hi everyone, Jerry Devore here again with another installment in my series on Active Directory hardening. This time I want to revisit a topic I previously wrote about in September of 2020 which is e...

Updated Jan 27, 2025

Version 7.0

ADHardening

JerryDevore

Microsoft

Joined September 20, 2018

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

kathraji

Copper Contributor

Aug 09, 2024

Hi Jerry Devore,

Thanks for the article its much helpful.I've a below scenario to which trying to find the solution.

My Application currently running using RC4 encryption through key tab but it will still support AES-128 as well. Currently only RC4 is enabled at AD account level. The future release of Application only supports AES-128 so we wanted to move to new key tab file with AES-128 encryption. Below are the issues we're facing.

We've testing by enabling both AES-128 and RC4 and checking with the current version with RC4 still works.But as soon as we enable AES-128 the SSO of application is broken though its still supporting RC4.How we can resolve this issue?

KerberosEncryptionType : {RC4, AES128}
msDS-KeyVersionNumber : 14
msDS-SupportedEncryptionTypes : 12
2. how to make sure the application wont use cached tickets after making changes to Supported Encryption types?