Forum Discussion
Kerberos and the End of RC4: Protocol Hardening and Preparing for CVE‑2026‑20833
That's the exact opposite of what I just read. RC4 is gone come July 2026 unless you decide not to patch your DCs.
Actually no. Theoretically you can set the msDS-SupportedEncryptionTypes to allow RC4 on all the account and have no issue on July, but why leave such a huge vulnerability open?
I'll advice on analyzing the logs and set the attribute msDS-SupportedEncryptionTypes to allow RC4 only temporarily and when really necessary.
- jigarpanchal05Jun 26, 2026Copper Contributor
Hi, We are managing a huge account where we want to keep RC4 enabled by setting msds-SET attribute. In many clients the attribute is already set to 0x1F and still reported in event id 201 for advertising only RC4. I just want to understand if this is a normal scenario and do I need to change the attribute from 0x1F to 4 (RC4 only)
- Elanor92Jun 29, 2026
Microsoft
Hi,
that should work, even though I would advise on using 0x1C or 0x3C because those values don't allow the use of DES encryption, unlike the 0x1F value.
Keep in mind that encryption methods inserted in the msDS-SupportedEncryptionTypes attribute works only if the KDC knows how to handle them. So, if you plan to leave RC4 available as exception for some accounts, remember to allow RC4 on the supportedEcryptionType policy for the DCs (0x7FFFFFFC value).
Note that the msDS-SupportedEncryptionTypes cannot be used with XP clients and Windows Server 2003 servers (for the 2003 servers there should be a workaround, but I wasn't able to find anything official about it)