πŸ”‘ IAM

April Windows Update Enforces AES-Only Kerberos β€” RC4 Fallback Blocked Across Active Directory

Microsoft's April 2026 cumulative update moves Windows domain controllers into AES-only Kerberos enforcement mode, permanently blocking RC4-HMAC as an authentication fallback under CVE-2026-20833. Organisations with legacy service accounts or unmanaged devices that have not set the msDS-SupportedEncryptionTypes attribute will begin seeing Kerberos authentication failures when the update is deployed.

4 min read
#microsoft#active-directory#kerberos#rc4#aes#windows-server#domain-controller#cve-2026-20833#authentication

Microsoft’s April 2026 cumulative update for Windows Server activates enforcement mode for CVE-2026-20833, completing the long-running transition away from RC4-HMAC in Kerberos authentication. From the moment domain controllers receive this update, the KDC will reject Kerberos service ticket requests that would previously have fallen back to RC4 β€” and any service account, computer account, or application that has not been configured to use AES encryption will stop working.

Why RC4 in Kerberos Is a Security Problem

RC4-HMAC has been deprecated in Kerberos for years, but Windows has continued to accept it as a fallback to maintain compatibility with legacy systems. The weakness is exploitable: an attacker who obtains a Kerberos service ticket encrypted with RC4 can perform offline brute-force attacks (known as Kerberoasting) to recover the service account password β€” without ever touching the domain controller after the initial ticket request. The attack succeeds because RC4 is computationally cheap to crack compared to AES-256.

CVE-2026-20833 formalises the security advisory under which Microsoft is enforcing the transition. The January 2026 update introduced audit mode, logging Kerberos requests that would fail under enforcement. The April update removes the fallback entirely.

What Changes in April 2026

When a domain controller receives the April update, the KDC enters AES-only mode for accounts where the msDS-SupportedEncryptionTypes attribute is not explicitly set. Previously, an unset attribute would cause the KDC to implicitly accept RC4. Under the new enforcement:

  • Service accounts without msDS-SupportedEncryptionTypes set to include AES (0x18 or higher) will not receive Kerberos tickets for services they authenticate to
  • Applications using legacy Kerberos libraries that do not advertise AES support in their ticket requests will fail
  • Devices that have not joined or refreshed their domain credentials recently enough to hold AES session keys may experience authentication failures

The change affects all Windows Server versions still in mainstream support, and applies to both on-premises Active Directory and hybrid environments using Microsoft Entra ID with Kerberos pass-through.

Who Is at Risk

Organisations with any of the following are likely to experience authentication disruptions post-update:

  • Service accounts created before 2015 β€” older accounts frequently lack the msDS-SupportedEncryptionTypes attribute
  • Application service accounts for third-party software β€” particularly enterprise applications that manage their own Kerberos keytab files (SAP, Oracle, older Java EE applications)
  • Print servers and legacy file shares β€” services that authenticate to AD using older SMB/Kerberos implementations
  • Non-Windows devices joined to AD β€” Linux systems using Samba/SSSD, macOS devices using native Kerberos, and network appliances that authenticate via Kerberos may use older encryption libraries
  • Check your audit logs before deploying the update. The January 2026 update logged all Kerberos requests that would fail under enforcement β€” review Event ID 14 in the System log on domain controllers. Any accounts logged there need remediation before the April update reaches your DCs.
  • Set msDS-SupportedEncryptionTypes on all service accounts. The recommended value is 0x18 (AES128 + AES256). Use PowerShell or Active Directory Users and Computers to audit and set this attribute. Microsoft’s support article provides the exact syntax.
  • Run klist on application servers to verify AES session key usage. Kerberos tickets showing EncType: rc4-hmac in klist output after January indicate those accounts will break in April.
  • Stagger the domain controller update rollout. Deploy to a subset of DCs first with monitoring before rolling out broadly β€” this limits blast radius if authentication failures occur for accounts you missed.
  • Coordinate with application owners. Service accounts for line-of-business applications are often managed by vendors or separate teams. Alert application owners now β€” post-enforcement failures can present as application errors rather than obvious authentication issues.