Organizations may receive notification of upcoming Microsoft security enforcement regarding Kerberos encryption.

• RC4 Kerberos encryption will no longer be accepted.
• Authentication requests using RC4 will be denied.
• Only AES Kerberos encryption will be permitted for AD/LDAP authentication.

Customers using AutoSys Workload Automation, Web UI (WCC), and Embedded Entitlements Manager (EEM) need to verify if their environment is susceptible to outages caused by this change.

Microsoft is deprecating weak encryption algorithms (RC4) in favor of more secure AES-based encryption for Active Directory and LDAP authentication. If an application or its management component (like iGateway) is explicitly configured to use or allow only RC4, authentication will fail once the enforcement is active.

Verify iGateway Configuration (EEM)
iGateway is a common component that handles communication for EEM. Check the igateway.conf file to ensure RC4 is explicitly excluded.

1. Locate igateway.conf on your EEM server(s).
2. Review the cipher suite configuration. A secure configuration that explicitly disables RC4 will look similar to the following:
   
   -ALL:HIGH:MEDIUM:!RC4:!RC2:!DES:!3DES:!IDEA:+TLSv1.2:@STRENGTH

Cipher String Breakdown:

Verify Other Components

• AutoSys Scheduler/App Server: Review the $AUTOUSER/config.$AUTOSERV (Linux/Unix) or registry settings (Windows) to ensure no legacy encryption overrides are present.
• WCC: Review connection.properties and the Tomcat wrapper.conf to verify the Java Runtime Environment (JRE) is not restricted to legacy ciphers.
• Verification: If the Microsoft enforcement has already been applied in a lower environment (e.g., Development or QA) and authentication for AutoSys/WCC/EEM continues to function without issues, it indicates the components are already utilizing compatible encryption (AES) or are correctly excluding RC4.