-
Title
Is RC4 required to be enabled on a server with a Change Auditor Coordinator and/or agent? -
Description
Disabling RC4 is causing the Change Auditor service to stop and display event logs messages related to authentication. Is it mandatory to have this enabled? -
Cause
RC4 is a required fallback legacy encryption type under FIPS 140-2, which means, failing to negotiate all other encryption types, it will use RC4. If RC4 is being used as the main encryption method, then it appears that something in the environment is disallowing all other kinds of encryption.
For 2008/2012 there is a patch, KB2868725, that disables RC4 for those OS's. It is not mandatory, so we have not implemented it yet due to other legacy apps.For 2016/2019 starting with the Jan rollup, MS has essentially disabled RC4, the don't call it out explicitly but with the other security features they enabled, it is the same difference as if it is disabled. -
Resolution
From the Technical Guide: The Change Auditor 7.0.2 agent connects to a coordinator using WCF with Windows authentication and TCP transport security, which negotiates Kerberos for both authentication and encryption. Only Kerberos encryption algorithms allowed by the “Network security: Configure encryption types allowed for Kerberos” group policy would by used by Windows Authentication. This was tested in 2 different labs where in one lab only some hosts had RC4 hard disabled and the other lab had all hosts in the environment with RC4 disabled, using a GPO to define only "AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryptions types" as options. There was no impact on the coordinator or agents ability to start or connect in both labs.
Please refer to additional information concerning this issue.
-
Additional Information
For 2008/2012 there is a patch, KB2868725, that disables RC4 for those OS's. It is not mandatory, so we have not implemented it yet due to other legacy apps.For 2016/2019 starting with the Jan rollup, MS has essentially disabled RC4, the don't call it out explicitly but with the other security features they enabled, it is the same difference as if it is disabled.So to get around this, you have to enable AES128/256 explicitly on domains that are running functional levels lower than 2016. Which in my case was 2012 R2 and 2008 R2 functional levels.Here are the commands to do that, in case you run into this again:For Forest trusts (parent/child domains)Run this command from the Forest DC:ksetup /setenctypeattr child.contoso.com RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96Run this command from the Child DC:ksetup /setenctypeattr contoso.com RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96This will allow AES128/256 and RC4 to be used. So like in my case, with a newer OS that is fully patched communicating with older DC's - it allows the AES128/256 Kerberos/NTLM traffic to go through.