Nov 17 2021 02:10 AM
Nov 18 2021 01:24 AM - edited Nov 18 2021 01:25 AM
What do you see in weak cipher report details? If this is related to weak encryption (RC4, DES) that AD accounts are using then you would need to look for events related to kerberos protocol (4766-4768).
A fix for that is by going to AD account -> Properties -> Account -> Account options and tick 2 boxes "This account supports Kerberos AES 128/256 bit encryption". This would default account to use AES encryption rather than RC4.
Nov 18 2021 09:11 AM - edited Nov 18 2021 09:12 AM
What does it say in the usage report? If it is related to accounts using weak encryption protocol, you should look for kerberos authentication event id. I had similar on MCAS where users reported using RC4 encryption. There is a setting under ADUC account properties to set to use 128/256 AES encryption. Then it defaults to using AES over RC4.