Forum Discussion
RC4 Deprecating by April
I’m reviewing our Seamless SSO setup and noticed that the AzureADSSOAcc account is still using RC4 (encryption type 0x17) from Kerberos event logs.
I have a few questions regarding this:
Why does AzureADSSOAcc still default to RC4 instead of AES, even when the domain supports AES?
With Microsoft disabling RC4 (April updates), will AzureADSSOAcc automatically switch to AES?
If it does not switch automatically, what is the recommended way to force it to use AES?
Is running Update-AzureADSSOForest (key rotation) sufficient, and does it cause any downtime or impact to Seamless SSO?
I want to make sure we transition to AES safely without breaking SSO for users.
Any guidance or real-world experience would be appreciated.
1 Reply
I believe this is what Microsoft current arrangement is, which you should rotate the AzureADSSOAcc keys with Update-AzureADSSOForest, which re-provisions the account with AES keys and does not cause downtime for Seamless SSO.
Windows Kerberos RC4 deprecation: what will break in Active Directory and how to fix it – 4sysops
https://windowsforum.com/threads/april-2026-windows-kerberos-enforcement-aes-sha1-only-and-fslogix-smb-risk.408005/
