Beginning April 2026, Microsoft updates will stop Domain Controllers from issuing RC4‑based Kerberos tickets by default, assuming AES‑only encryption.  
By July 2026, RC4 will be fully disabled (enforcement phase), causing any system still reliant on RC4 to fail authentication.
This change is driven by long‑standing RC4 weaknesses and CVE‑2026‑20833, which exposes environments to Kerberoasting attacks.

In CCS, we do not explicitly set the Kerberos encryption type . It is generally governed from Domain controller. It is negotiated "handshake" between our service and Key Distribution Center (KDC/Domain Controller).

To verify this encryption type on a machine (mostly on Application Server)

From Command prompt-> Run the command -> klist.

It will display all Kerberos tickets.
Check "KerbTicket Encryption Type" for the tickets generated for CCS components. 
This will determine which encryption type for tickets is used.