{"id":21247,"date":"2025-12-03T09:00:00","date_gmt":"2025-12-03T17:00:00","guid":{"rendered":""},"modified":"2026-02-19T17:21:49","modified_gmt":"2026-02-20T01:21:49","slug":"beyond-rc4-for-windows-authentication","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/","title":{"rendered":"Beyond RC4 for Windows authentication"},"content":{"rendered":"\n<p>As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever. The deprecation of RC4 (Rivest Cipher 4) encryption in Kerberos is a shift toward modern, resilient security standards. RC4, once a staple for compatibility, is susceptible to attacks like&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2024\/10\/11\/microsofts-guidance-to-help-mitigate-kerberoasting\">Kerberoasting<\/a>&nbsp;that can be used to steal credentials and compromise networks. It is crucial to discontinue using RC4.<\/p>\n\n\n\n<p>By mid-2026, we will be updating the domain controller default assumed supported encryption types. The assumed supported encryption types is applied to service accounts that do not have an explicit configuration defined.&nbsp;Secure Windows authentication does not require RC4; AES-SHA1 can be used across all supported Windows versions since it was introduced in Windows Server 2008. If existing RC4 use is not addressed before the default change is applied, authentication relying on the legacy algorithm will no longer function. This blog post helps IT professionals transitioning to AES-SHA1 encryption by offering steps to detect and address remaining RC4 usage.<\/p>\n\n\n\n<p>For additional details on our Windows Update rollout strategy, check out this page on&nbsp;<a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc\" target=\"_blank\" rel=\"noreferrer noopener\">how to manage Kerberos KDC usage of RC4<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/detect-remediate-rc4-kerberos\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about how you can strengthen Windows authentication<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"detect-rc4-usage-with-new-tools\">Detect RC4 usage with new tools<\/h2>\n\n\n\n<p>Aside from the Windows Update rollout of changes to domain controller default assumed supported encryption types, RC4 should be completely disabled in domain environments to maximize security. Legacy applications or interoperability with non-Windows devices may still necessitate the use of RC4, and such dependencies will need to be identified and addressed.<\/p>\n\n\n\n<p>To support the identification of RC4 usage, we have enhanced existing information within the Security Event Log and developed new PowerShell auditing scripts. These enhancements are available in Windows Server versions 2019, 2022, and 2025.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"new-fields-within-existing-kerberos-events\">New fields within existing Kerberos Events<\/h3>\n\n\n\n<p>The Security Event Log on Key Distribution Centers (KDC) logs when a client requests a ticket during authentication and when they request access to a specific service within the domain:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/previous-versions\/windows\/it-pro\/windows-10\/security\/threat-protection\/auditing\/event-4768\" target=\"_blank\" rel=\"noreferrer noopener\">4768<\/a>: A Kerberos authentication ticket (TGT) was requested<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/previous-versions\/windows\/it-pro\/windows-10\/security\/threat-protection\/auditing\/event-4769\" target=\"_blank\" rel=\"noreferrer noopener\">4769<\/a>: A Kerberos service ticket was requested<\/li>\n<\/ul>\n\n\n\n<p>New fields have been added to these events to capture all of the encryption algorithms supported by an account and to log the specific algorithm that was used during a ticket request. Using this information, you can now better identify:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authentication client devices that only support RC4<\/li>\n\n\n\n<li>Authentication target devices that only support RC4<\/li>\n\n\n\n<li>Accounts that don\u2019t have AES-SHA1 keys provisioned, specifically for AES128-CTS-HMAC-SHA1-96 (AES128-SHA96) and AES256-CTS-HMAC-SHA1-96 (AES256-SHA96)<\/li>\n<\/ul>\n\n\n\n<p>The first important, new field is called msds-SupportedEncryptionTypes. This field specifies the encryption algorithms that an account supports and is provided for both the client machine and the target service in a request. By default, this field should include both AES-SHA1 and RC4. If it does not include AES-SHA1, that indicates an account that we would expect to use RC4, which would need to be remediated.<\/p>\n\n\n\n<p>The next new field, Available Keys, provides information on the encryption keys that have been created for an account in Active Directory. For most accounts in Windows, this should include RC4 and AES-SHA1 already. If this field contains RC4 but not AES-SHA1, it indicates an account that is not ready to use AES-SHA1 and that would need to be addressed.<\/p>\n\n\n\n<p>The last important new field is the Session Encryption Type. This field contains the encryption algorithm that was used for a specific Kerberos request. Most events will indicate AES-SHA1 was used because that is the default behavior for Windows devices and accounts today. Filtering this event for RC4 will help identify potential problematic accounts and configurations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"new-powershell-scripts\">New PowerShell scripts<\/h3>\n\n\n\n<p>Instead of manually reviewing the Security Event log on your domain controllers to find problematic RC4 usage via events 4768 and 4769, let\u2019s introduce two new PowerShell scripts that are available to you on the\u00a0<a href=\"https:\/\/github.com\/microsoft\/Kerberos-Crypto\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Kerberos-Crypto GitHub repository<\/a>.<\/p>\n\n\n\n<p><strong>List-AccountKeys.ps1<\/strong><\/p>\n\n\n\n<p>Use this PowerShell script to query the Security Event Log for the new Available Keys field. The script enumerates the keys that are available for the accounts it finds from the event logs, as well as the following information:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The time at which an event happened<\/li>\n\n\n\n<li>The account name<\/li>\n\n\n\n<li>The account type<\/li>\n\n\n\n<li>The account keys<\/li>\n<\/ul>\n\n\n\n<p>PS C:\\tools&gt; .\\List-AccountKeys.ps1<\/p>\n\n\n\n<p>Time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Type Keys<\/p>\n\n\n\n<p>&#8212;-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8212;-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8212;- &#8212;-<\/p>\n\n\n\n<p>1\/21\/2025 2:00:10 PM&nbsp; LD1$&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256&#8230;}<\/p>\n\n\n\n<p>1\/21\/2025 2:00:10 PM&nbsp; AdminUser&nbsp;&nbsp;&nbsp; User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256&#8230;}<\/p>\n\n\n\n<p>1\/21\/2025 6:50:34 PM&nbsp; LD1$&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256&#8230;}<\/p>\n\n\n\n<p>1\/21\/2025 6:50:34 PM&nbsp; AdminUser&nbsp;&nbsp;&nbsp; User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256&#8230;}<\/p>\n\n\n\n<p>1\/21\/2025 6:50:34 PM&nbsp; LD1$&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256&#8230;}<\/p>\n\n\n\n<p>In this case, the results show that there are AES128-SHA96 and AES256-SHA96 keys available for the accounts found in the logs, meaning these accounts will continue to work if RC4 is disabled.<\/p>\n\n\n\n<p><strong>Get-KerbEncryptionUsage.ps1<\/strong><\/p>\n\n\n\n<p>Use this PowerShell script to query the same events to see which encryption types Kerberos used within your environment. In this example, the requests used AES256-SHA96, which is a part of AES-SHA1.<\/p>\n\n\n\n<p>PS C:\\tools&gt; .\\Get-KerbEncryptionUsage.ps1<\/p>\n\n\n\n<p>Time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1\/21\/2025 2:00:10 PM<\/p>\n\n\n\n<p>Requestor&nbsp; : ::1<\/p>\n\n\n\n<p>Source&nbsp;&nbsp;&nbsp;&nbsp; : AdminUser@CONTOSO.COM<\/p>\n\n\n\n<p>Target&nbsp;&nbsp;&nbsp;&nbsp; : LD1$<\/p>\n\n\n\n<p>Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : TGS<\/p>\n\n\n\n<p>Ticket&nbsp;&nbsp;&nbsp;&nbsp; : AES256-SHA96<\/p>\n\n\n\n<p>SessionKey : AES256-SHA96<\/p>\n\n\n\n<p>Time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1\/21\/2025 2:00:10 PM<\/p>\n\n\n\n<p>Requestor&nbsp; : 192.168.1.1<\/p>\n\n\n\n<p>Source&nbsp;&nbsp;&nbsp;&nbsp; : AdminUser<\/p>\n\n\n\n<p>Target&nbsp;&nbsp;&nbsp;&nbsp; : krbtgt<\/p>\n\n\n\n<p>Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : AS<\/p>\n\n\n\n<p>Ticket&nbsp;&nbsp;&nbsp;&nbsp; : AES256-SHA96<\/p>\n\n\n\n<p>SessionKey : AES256-SHA96<\/p>\n\n\n\n<p>With this script, you can try out additional filtering options on specific encryption algorithms. For example, use the RC4 filter to specifically find requests that used RC4:<\/p>\n\n\n\n<p>PS C:\\tools&gt; .\\Get-KerbEncryptionUsage.ps1 -Encryption RC4<\/p>\n\n\n\n<p>You can also use security information and event management (SIEM) solutions, like Microsoft Sentinel, or built-in Windows event forwarding as described in&nbsp;<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/askds\/so-you-think-you%E2%80%99re-ready-for-enforcing-aes-for-kerberos\/4080124\" target=\"_blank\" rel=\"noreferrer noopener\">So, you think you\u2019re ready for enforcing AES for Kerberos?<\/a>&nbsp;to query these logs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"recommendations-on-rc4-usage-scenarios\">Recommendations on RC4 usage scenarios<\/h2>\n\n\n\n<p>You\u2019ve used the scripts and identified RC4 usage. Now what should you do?<\/p>\n\n\n\n<p>Here are some common scenarios and recommended solutions. For deeper dives, see our official&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/detect-remediate-rc4-kerberos\" target=\"_blank\" rel=\"noreferrer noopener\">Detect and remediate RC4 usage in Kerberos documentation<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"a-user-account-only-has-rc4-keys\">A user account only has RC4 keys<\/h3>\n\n\n\n<p>You used the List-AccountKeys.ps1 script and have identified a user or machine account that only has RC4 in the list of keys. To prepare this account to use AES-SHA1 instead of RC4, reset the account password. Resetting the password will automatically create AES128-SHA96 and AES256-SHA96 keys in Active Directory for the account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"a-user-account-doesn-t-show-support-for-aes-sha1\">A user account doesn\u2019t show support for AES-SHA1<\/h3>\n\n\n\n<p>You queried the Security log and found an account where the msds-SupportedEncryptionTypes field does not include the AES-SHA1 encryption types. There are multiple reasons why this may be the case and the most common scenarios are outlined below:<\/p>\n\n\n\n<p><strong>Scenario 1:<\/strong>&nbsp;The source or target account for a request might not have AES128-SHA96 and AES256-SHA96 correctly configured in its&nbsp;<a href=\"https:\/\/learn.microsoft.com\/previous-versions\/windows\/it-pro\/windows-10\/security\/threat-protection\/security-policy-settings\/network-security-configure-encryption-types-allowed-for-kerberos\" target=\"_blank\" rel=\"noreferrer noopener\">supported encryption types<\/a>. If this is the case, here\u2019s how you can view the policy:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can use&nbsp;<strong>Active Directory Users and Computers (ADUC)<\/strong>&nbsp;with Advanced Features enabled (under&nbsp;<strong>View<\/strong>&nbsp;&gt;&nbsp;<strong>Advanced features<\/strong>). Review the msDS-SupportedEncryptionTypes attribute for an account to confirm the configuration. Find the account of interest in ADUC and right-click the account name. Select&nbsp;<strong>Properties<\/strong>&nbsp;and, in the newly opened window, select the&nbsp;<strong>Attribute Editor<\/strong>&nbsp;tab. In the list of attributes, find msDS-SupportedEncryption to confirm the configuration of the account. If needed, configure the account to include AES128-SHA96 and AES256-SHA96 using Group Policy.<\/li>\n<\/ul>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69d80b00a09f2&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"437\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1ee23295a406cf78977255661e.jpg\" alt=\"Active Directory Users and Computers.\" class=\"wp-image-21255\" srcset=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1ee23295a406cf78977255661e.jpg 624w, https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1ee23295a406cf78977255661e-300x210.jpg 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can also use PowerShell. Use the following Get-ADObject command.&nbsp;<em>Note<\/em>: The output for mdds-SupportedEncryptionTypes will be in decimal format.<\/li>\n<\/ul>\n\n\n\n<p>PS C:\\&gt; Get-ADObject -Filter &#8220;Name -eq &#8216;LM1&#8217; -and (ObjectClass -eq &#8216;Computer&#8217; -or ObjectClass -eq &#8216;User&#8217;)&#8221;&nbsp; -Properties &#8220;msds-SupportedEncryptionTypes&#8221;<\/p>\n\n\n\n<p>DistinguishedName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : CN=LM1,CN=Computers,DC=contoso,DC=com<\/p>\n\n\n\n<p>msds-SupportedEncryptionTypes : 28<\/p>\n\n\n\n<p>Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : LM1<\/p>\n\n\n\n<p>ObjectClass&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : computer<\/p>\n\n\n\n<p>ObjectGUID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 3a4c6bc4-1a44-4f1f-b74a-02ec4a931947<\/p>\n\n\n\n<p>To interpret the values and to determine the best configuration for your environment, check out\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/coreinfrastructureandsecurityblog\/active-directory-hardening-series---part-4-%E2%80%93-enforcing-aes-for-kerberos\/4114965\" target=\"_blank\" rel=\"noreferrer noopener\">Active Directory Hardening Series &#8211; Part 4 \u2013 Enforcing AES for Kerberos<\/a>\u00a0and\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/coreinfrastructureandsecurityblog\/decrypting-the-selection-of-supported-kerberos-encryption-types\/1628797\" target=\"_blank\" rel=\"noreferrer noopener\">Decrypting the Selection of Supported Kerberos Encryption Types<\/a>.<\/p>\n\n\n\n<p>After setting the right combination for your environment, restart the device, and it will update its msds-SupportedEncryptionTypes attributes in the active directory database.<\/p>\n\n\n\n<p><strong>Scenario 2<\/strong>: The source or the target machine might not have the msds-SupportedEncryptionTypes defined in AD and is falling back to the default supported encryption types.<\/p>\n\n\n\n<p>You\u2019ll need to have a more holistic understanding of your environment. Do you know what happens to devices that don\u2019t have a value defined for msds-SupportedEncryptionTypes or the value is set to 0? Normally, these devices will automatically receive the value of&nbsp;<a href=\"https:\/\/aka.ms\/ddset\" target=\"_blank\" rel=\"noreferrer noopener\">DefaultDomainSupportEncTypes<\/a>. Depending on your individual risk tolerance, consider using one of the following methods to address this scenario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define the specific msds-SupportedEncryptionTypes value in the account properties to ensure it isn\u2019t falling back to the DefaultDomainSupportedEncTypes.<\/li>\n\n\n\n<li>Set the DefaultDomainSupportedEncTypes to include AES128-SHA1 and AES256-SHA1.&nbsp;<em>Note<\/em>: This will change the behavior of all accounts that don\u2019t have a value for msds-SupportedEncryptionTypes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-device-doesn-t-support-aes128-sha96-or-aes256-sha96\">The device doesn\u2019t support AES128-SHA96 or AES256-SHA96<\/h3>\n\n\n\n<p>The last version of Windows devices that did not support AES128-SHA96 and AES256-SHA96 was Windows Server 2003. We strongly recommend that you migrate to a supported version of Windows as soon as possible.<\/p>\n\n\n\n<p>If you have a third-party device that does not support AES128-SHA1 and AES256-SHA1, we want to hear from you! Please reach out to&nbsp;<a href=\"mailto:stillneedrc4@microsoft.com\" target=\"_blank\" rel=\"noreferrer noopener\">stillneedrc4@microsoft.com<\/a>\u202ftelling us:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What is this device?<\/li>\n\n\n\n<li>How does it fit into your workflow?<\/li>\n\n\n\n<li>What is your timeline for upgrading this device?<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"using-wac-for-configuring-allowed-encryption-types\">Using WAC for configuring allowed encryption types<\/h2>\n\n\n\n<p>Microsoft provides a security baseline for Windows Server 2025 to set and audit recommended security configurations. This baseline includes disabling RC4 as an allowed encryption type for Kerberos. You can apply security baselines or view compliance using\u00a0<a href=\"https:\/\/learn.microsoft.com\/windows-server\/security\/osconfig\/osconfig-how-to-configure-security-baselines?tabs=online%2Cconfigure\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell<\/a>\u00a0or using the\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/ITOpsTalkBlog\/using-osconfig-to-manage-windows-server-2025-security-baselines\/4415824\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Admin Center<\/a>.<\/p>\n\n\n\n<p>In Windows Admin Center, you can access the security baseline compliance report by connecting to the server you\u2019ve configured using OSConfig by selecting the Security Baseline tab of the Security blade. In the Security Baselines tab, you can filter for the policy \u201cNetwork Security: Configure encryption types allowed for Kerberos\u201d to see your current compliance state for allowed encryption types. The compliant values for this policy in the baseline that do not allow RC4 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>2147483624: AES128-SHA96 + Future Encryption types<\/li>\n\n\n\n<li>2147483632: AES256-SHA96 + Future Encryption types<\/li>\n\n\n\n<li>2147483640: AES128-SHA96 + AES256-SHA96 + Future Encryption<\/li>\n<\/ul>\n\n\n\n<p>This is an example of the audit report indicating a device with a compliant setting:<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69d80b00a1eb3&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1351\" height=\"152\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1bad3ec33e824982e11eb54808.jpg\" alt=\"Audit report.\" class=\"wp-image-21256\" srcset=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1bad3ec33e824982e11eb54808.jpg 1351w, https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1bad3ec33e824982e11eb54808-300x34.jpg 300w, https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1bad3ec33e824982e11eb54808-1024x115.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1bad3ec33e824982e11eb54808-768x86.jpg 768w\" sizes=\"auto, (max-width: 1351px) 100vw, 1351px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>This is an example of audit showing devices configured with a setting that is different from the previous compliant values:<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69d80b00a2e2b&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1348\" height=\"485\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1614cd8d04cf3bb0078ecbee1b.jpg\" alt=\"Audit showing devices.\" class=\"wp-image-21258\" srcset=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1614cd8d04cf3bb0078ecbee1b.jpg 1348w, https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1614cd8d04cf3bb0078ecbee1b-300x108.jpg 300w, https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1614cd8d04cf3bb0078ecbee1b-1024x368.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1614cd8d04cf3bb0078ecbee1b-768x276.jpg 768w\" sizes=\"auto, (max-width: 1348px) 100vw, 1348px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"using-stronger-ciphers\">Using stronger ciphers<\/h2>\n\n\n\n<p>In the current security landscape, RC4 isn\u2019t required to ensure secure Windows authentication. You can use stronger ciphers, like AES-SHA1, for authentication among all supported versions of Windows. We hope that these detection and mitigation tools help you and your organization in your hardening efforts. Please check out&nbsp;official <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/detect-remediate-rc4-kerberos\" target=\"_blank\" rel=\"noreferrer noopener\">Detect and remediate RC4 usage in Kerberos documentation<\/a>&nbsp;for more details and scenarios.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.microsoft.com\/en-us\/windows-server\" target=\"_blank\" rel=\"noreferrer noopener\">Get more details on the flexible, reliable infrastructure of Windows Server<\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever. The deprecation of RC4 (Rivest Cipher 4) encryption in Kerberos is a shift toward modern, resilient security standards.<\/p>\n","protected":false},"author":6104,"featured_media":21261,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[32],"product":[],"content-type":[964],"solution":[952],"coauthors":[3728],"class_list":["post-21247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-powershell","content-type-updates","solution-server-management","review-flag-1593580427-982","review-flag-1710328007-107","review-flag-1593580418-473","review-flag-1593580770-929","review-flag-1-1593580431-223","review-flag-1-1710328007-20","review-flag-2-1593580436-936","review-flag-2-1710328007-310","review-flag-4-1593580446-763","review-flag-4-1710328008-217","review-flag-6-1593580456-819","review-flag-6-1710328008-798","review-flag-disab-1710328014-972","review-flag-new-1593580246-692","review-flag-new-1710328005-681"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Beyond RC4 for Windows authentication | Microsoft Windows Server Blog<\/title>\n<meta name=\"description\" content=\"As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Beyond RC4 for Windows authentication | Microsoft Windows Server Blog\" \/>\n<meta property=\"og:description\" content=\"As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Windows Server Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/WindowsServer\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-03T17:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-20T01:21:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"1333\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Matthew Palko\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg\" \/>\n<meta name=\"twitter:creator\" content=\"@WindowsServer\" \/>\n<meta name=\"twitter:site\" content=\"@WindowsServer\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Matthew Palko\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 min read\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/author\/matthew-palko\/\",\"@type\":\"Person\",\"@name\":\"Matthew Palko\"}],\"headline\":\"Beyond RC4 for Windows authentication\",\"datePublished\":\"2025-12-03T17:00:00+00:00\",\"dateModified\":\"2026-02-20T01:21:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/\"},\"wordCount\":2026,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg\",\"keywords\":[\"Powershell\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/\",\"name\":\"Beyond RC4 for Windows authentication | Microsoft Windows Server Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg\",\"datePublished\":\"2025-12-03T17:00:00+00:00\",\"dateModified\":\"2026-02-20T01:21:49+00:00\",\"description\":\"As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg\",\"width\":2000,\"height\":1333,\"caption\":\"An office setting of people using computers.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Beyond RC4 for Windows authentication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/\",\"name\":\"Microsoft Windows Server Blog\",\"description\":\"Your Guide to the Latest Windows Server Product Information\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization\",\"name\":\"Microsoft Windows Server Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"width\":1,\"height\":1,\"caption\":\"Microsoft Windows Server Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/WindowsServer\",\"https:\/\/x.com\/WindowsServer\",\"https:\/\/www.linkedin.com\/showcase\/microsoft-cloud-platform\/\",\"https:\/\/www.youtube.com\/user\/MSCloudOS\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Beyond RC4 for Windows authentication | Microsoft Windows Server Blog","description":"As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/","og_locale":"en_US","og_type":"article","og_title":"Beyond RC4 for Windows authentication | Microsoft Windows Server Blog","og_description":"As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever.","og_url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/","og_site_name":"Microsoft Windows Server Blog","article_publisher":"https:\/\/www.facebook.com\/WindowsServer","article_published_time":"2025-12-03T17:00:00+00:00","article_modified_time":"2026-02-20T01:21:49+00:00","og_image":[{"width":2000,"height":1333,"url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg","type":"image\/jpeg"}],"author":"Matthew Palko","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg","twitter_creator":"@WindowsServer","twitter_site":"@WindowsServer","twitter_misc":{"Written by":"Matthew Palko","Est. reading time":"8 min read"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/author\/matthew-palko\/","@type":"Person","@name":"Matthew Palko"}],"headline":"Beyond RC4 for Windows authentication","datePublished":"2025-12-03T17:00:00+00:00","dateModified":"2026-02-20T01:21:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/"},"wordCount":2026,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg","keywords":["Powershell"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/","name":"Beyond RC4 for Windows authentication | Microsoft Windows Server Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg","datePublished":"2025-12-03T17:00:00+00:00","dateModified":"2026-02-20T01:21:49+00:00","description":"As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_1b948518c4213bcca5164c2064.jpg","width":2000,"height":1333,"caption":"An office setting of people using computers."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/03\/beyond-rc4-for-windows-authentication\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/"},{"@type":"ListItem","position":2,"name":"Beyond RC4 for Windows authentication"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/","name":"Microsoft Windows Server Blog","description":"Your Guide to the Latest Windows Server Product Information","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization","name":"Microsoft Windows Server Blog","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","width":1,"height":1,"caption":"Microsoft Windows Server Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/WindowsServer","https:\/\/x.com\/WindowsServer","https:\/\/www.linkedin.com\/showcase\/microsoft-cloud-platform\/","https:\/\/www.youtube.com\/user\/MSCloudOS"]}]}},"word_count":1792,"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Windows Server Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/posts\/21247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/users\/6104"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/comments?post=21247"}],"version-history":[{"count":7,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/posts\/21247\/revisions"}],"predecessor-version":[{"id":21278,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/posts\/21247\/revisions\/21278"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/media\/21261"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/media?parent=21247"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/post_tag?post=21247"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/product?post=21247"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/content-type?post=21247"},{"taxonomy":"solution","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/solution?post=21247"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/coauthors?post=21247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}