ESXi using RC4 encryption for Kerberos authentication to Active Directory
search cancel

ESXi using RC4 encryption for Kerberos authentication to Active Directory

book

Article ID: 399639

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

After configuring ESXi to authenticate with Active Directory, the ESXi host uses RC4 encryption for authentication by default. 

Environment

ESXi 8.x

Cause

The RC4 configuration is part of the default configuration for ESXi.  

Resolution

Edit the kbr5.conf file for ESXi to remove the RC4 encryption protocol.

  1. SSH to the target host
  2. Back up the "/etc/krb5.conf" file to a safe place
  3. Edit /etc/krb5.conf, removing the keyword "RC4-HMAC" from the lines configuring "default_tgs_enctypes", "default_tkt_enctypes", and "preferred_enctypes".
    Before:  
    [libdefaults]
       default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
       default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
       preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
       allow_weak_crypto = true
    After: 
    [libdefaults]
       default_tgs_enctypes = AES256-CTS AES128-CTS 
       default_tkt_enctypes = AES256-CTS AES128-CTS 
       preferred_enctypes = AES256-CTS AES128-CTS  
       allow_weak_crypto = true
  4. Edit the file and set the "disable_modifications" value to "true"

    Before:
    [likewise]
      disable_modifications = false
      version = 1
    After: 
    [likewise]
      disable_modifications = true
      version = 1  
  5. Save the changes and reboot the target ESXi host
Powered by Wolken Software