Kerberos double hop delegation on SQL Linked Server fails on AG listener after RC4 disablement

Environment

3 Node- SQL Server 2022 with Availability Group

Windows Server 2022

- Linked Server configured with Kerberos delegation (double-hop scenario)

- RC4 encryption recently disabled via GPO

The Problem 

After disabling RC4 in the domain (not sure of this root cause), Kerberos delegation through a Linked Server stopped working — but only when connecting via the **AG listener name**. Connecting via the **node name** works fine.

I try to migrate my service account to gMSA and I've recreate all SPN and all delegation for the new account, but the issue is the same: 

Authentication works if the linked server us the node name, if it use the Listener AG name the connection fail with

------------------------------

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456)

Connection Id 6d654295-0538-4837-b900-ff65c9e86ee9 at 2026-04-29 11:59:25Z

I Confirmed via Kerberos event logging (Event ID 4769 on DC)**

On a healthy request (node name), ticket encryption type is `0x12` (AES256). 

- Confirmed SPN registration with `setspn -L`

- Verified Kerberos events on the DC (4768/4769)

- Confirmed forwardable flag (`0x40000000`) is present in ticket options — delegation is active

- Confirmed pre-auth and session encryption are both `0x12` (AES256) for the working path

set `msDS-SupportedEncryptionTypes = AES128+AES256` on the SQL service account and resetting its password 

rotete kdc key

Are there any additional steps needed on the Linked Server or constrained delegation configuration side after the service account change?

Any guidance appreciated. Thanks.