Data Protection Advisor: Is DPA impacted by a Microsoft Active Directory change deprecating legacy RC4 encryption ciphers and requiring AES-256 encryption by default
Summary: Is DPA impacted by a Microsoft Active Directory change deprecating legacy RC4 encryption ciphers and requiring AES-256 encryption by default?
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Is DPA impacted by a Microsoft Active Directory change deprecating legacy RC4 encryption ciphers and requiring AES-256 encryption by default?
The Microsoft update details are as below.
The RC4 support for AD Kerberos authentication is being removed as part of a Microsoft cumulative security update. This update applies to Microsoft domain controllers.
The Microsoft security update modifies the behavior of Active Directory domain controllers in a way that may cause authentication issues for some applications. Prior to this update, applications that depend on Kerberos authentication could use RC4, AES128, or AES256 ciphers to encrypt their authentication requests. The domain controllers would return Kerberos tickets back to the application's service account using the same cipher that was used for the request. After the update is installed, the domain controllers will return Kerberos tickets encrypted in AES256 by default. They will only use other ciphers when the calling service account has been configured to require another cipher.
This new update was released as part of a "cumulative update" package that includes all the available updates for the Windows Server platform. It cannot be selectively uninstalled, and the only way to prevent it from being installed is to stop updating the domain controllers.
This update was released in November 2022 for Windows Server.
The only functionality in question for DPA is the External Authentication using LDAP and LDAP with SSL.
The Microsoft update details are as below.
The RC4 support for AD Kerberos authentication is being removed as part of a Microsoft cumulative security update. This update applies to Microsoft domain controllers.
The Microsoft security update modifies the behavior of Active Directory domain controllers in a way that may cause authentication issues for some applications. Prior to this update, applications that depend on Kerberos authentication could use RC4, AES128, or AES256 ciphers to encrypt their authentication requests. The domain controllers would return Kerberos tickets back to the application's service account using the same cipher that was used for the request. After the update is installed, the domain controllers will return Kerberos tickets encrypted in AES256 by default. They will only use other ciphers when the calling service account has been configured to require another cipher.
This new update was released as part of a "cumulative update" package that includes all the available updates for the Windows Server platform. It cannot be selectively uninstalled, and the only way to prevent it from being installed is to stop updating the domain controllers.
This update was released in November 2022 for Windows Server.
The only functionality in question for DPA is the External Authentication using LDAP and LDAP with SSL.
Cause
The product is functioning as designed.
Resolution
Data Protection Advisor is not impacted or affected by this change to Microsoft Active Directory.
It has been verified that DPA External Authentication using LDAP and LDAP with SSL are not affected by this Active Directory update.
Contact Dell Technical Support for further details or information.
It has been verified that DPA External Authentication using LDAP and LDAP with SSL are not affected by this Active Directory update.
Contact Dell Technical Support for further details or information.
Article Properties
Article Number: 000212968
Article Type: Solution
Last Modified: 01 Jun 2023
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.