Microsoft Phases Out RC4 in Kerberos to Boost Security

Key Takeaways:

Microsoft is phasing out weak RC4 encryption in Kerberos to reduce credential exposure.
The changes roll out in stages, with stricter defaults coming later in 2026.
Organizations must review Kerberos settings to avoid authentication issues.

Microsoft is rolling out an important security change to protect Windows environments from a newly exposed Kerberos vulnerability that could let attackers exploit weak RC4 encryption. The company has urged organizations to act quickly as domain controllers move toward stronger AES‑based encryption to prevent potential authentication risks.

The security flaw (CVE‑2026‑20833) is a Kerberos information‑disclosure vulnerability caused by the continued use of weak, legacy cryptographic algorithms (particularly RC4) when issuing service tickets. It allows an authenticated attacker to request Kerberos tickets encrypted with RC4 and then perform offline cracking attempts to recover service account passwords, which often have elevated privileges and can grant broader access across an environment.

When do Kerberos audit and enforcement changes take effect?

Microsoft has detailed a timeline to give organizations time to detect, prepare for, and transition away from RC4‑based Kerberos encryption. The initial deployment phase started with the January 13, 2026, update, which introduces new Kerberos audit events and optional registry controls. These changes allow administrators to identify where RC4 is still in use and to start evaluating the impact of future enforcement. This early phase is intentionally diagnostic that surfaces misconfigurations and legacy dependencies before stricter defaults take effect.

In April 2026, Microsoft will shift domain controllers to using AES‑SHA1 as the default encryption type for accounts without explicit Kerberos settings, which disables automatic fallback to RC4. However, keep in mind that environments that still depend on RC4 at this point may experience authentication failures.

Finally, Microsoft will remove Audit mode and enable Enforcement mode as the only operational state in July 2026. This phase completes the transition and fully eliminates RC4 fallback from the Kerberos protocol path.

How can organizations prepare for this change?

Microsoft recommends four key actions to strengthen Kerberos security against RC4‑related risks. Organizations should begin by updating all Active Directory domain controllers with Windows updates released on or after January 13, 2026. They must then closely monitor the System event log for the nine new Kerberos audit events on Windows Server 2012 and later, which help identify dependencies on RC4 encryption.

Additionally, organizations should address any KDCSVC events that signal obstacles preventing RC4 protection from being enabled to eliminate configuration issues. Once all audit and warning events have been resolved, Enforcement mode should be activated to fully mitigate the security vulnerability.