This is an automated archive.

The original was posted on /r/sysadmin by /u/fullMetalFileCabinet on 2023-10-24 19:26:24+00:00.

Think we are getting close to disabling RC4 for Kerberos. A 30 day audit of 4768 and 4769 events shows the following:

AES256-CTS-HMAC-SHA1-96 15,043,147

RC4-HMAC 42

My plan is to define the “Network security: Configure encryption types allowed for Kerberos.” in group policy objects that apply to both domain controllers and member servers. Only the following will be checked:

AES128_HMAC_SHA1

AES256_HMAC_SHA1

Future encryption types

My question; after doing this do I still need to identify all accounts that have an SPN defined and check the AES boxes in the account’s properties? Does this need to be done on the KRBTGT account as well?

Thanks!