ESXi using RC4 encryption for Kerberos authentication to Active Directory
search cancel

ESXi using RC4 encryption for Kerberos authentication to Active Directory

book

Article ID: 399639

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

After configuring ESXi to authenticate to Active Directory, the ESXi host will use an RC4 encryption protocol for authentication. 

Environment

ESXi 8.x

Cause

The RC4 configuration is part of the default configuration for ESXi.  

Resolution

Edit the kbr5.conf file for ESXi to remove the RC4 encryption protocol.

 

1. SSH to the target host
 
2. Back-up the "/etc/krb5.conf" file to a safe place 
 
3. Edit /etc/krb5.conf, removing the keyword "RC4-HMAC" from the lines configuring "default_tgs_enctypes", "default_tkt_enctypes", and "preferred_enctypes". 

Before: 
[libdefaults]
   default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
   default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
   preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
   allow_weak_crypto = true
 
After:  
[libdefaults]
   default_tgs_enctypes = AES256-CTS AES128-CTS 
   default_tkt_enctypes = AES256-CTS AES128-CTS 
   preferred_enctypes = AES256-CTS AES128-CTS  
   allow_weak_crypto = true

4. Edit the file and set the "disable_modifications" value to "true"

Before:
[likewise]
  disable_modifications = false
  version = 1
 
After: 
[likewise]
  disable_modifications = true
  version = 1  

5. Save the changes and reboot the target ESXi host

Powered by Wolken Software