Forum Discussion
Domain users not able to logon with their password event though it has not been changed....
Sorry, can't find ad way to edit my post, so just adding that "and I check that the account is not logged out or expired....." should of course be "and I check that the account is not locked out or expired....."
If you have installed the April 2026 updates on your domain controllers then that might explain it. RC4 has been removed as a default for "assumed encryption types" (where an account does not specify the encryption types it requires/uses). As the accounts have very old passwords they most likely don't have the newer AES encryption keys which are now required. Resetting a password, even to the same password, should generate new keys. There are event logs on the domain controllers that can confirm if this is what is happening. You can revert the RC4 change by adding a registry setting to your domain controllers but you've only got until July 2026, which is when the change is being enforced.
See these articles for more information.
What is going on with RC4 in Kerberos? | Microsoft Community Hub
https://support.microsoft.com/en-us/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc
