Microsoft is phasing out the use of RC4 encryption for Kerberos authentication. VMware Aria Automation 8.x utilizes VMware Identity Manager (vIDM) for authentication services. If vIDM is configured to allow or prefer RC4-HMAC, Kerberos ticket negotiation may fail once Microsoft environment hardening is applied.

Symptoms include:

1. Potential authentication failures after applying Microsoft Kerberos security patches.

2. Security audit flags for weak encryption types (RC4) in the authentication path.

VMware Aria Automation 8.18.1
VMware Identity Manager (vIDM) 3.3.x

The default /etc/krb5.conf configuration on the vIDM appliance includes RC4-HMAC in the permitted and preferred encryption types, which is no longer considered secure and is being deprecated by Microsoft.

Resolution:

1. Take a snapshot of the vIDM appliance(s) and back up the configuration file:
    cp /etc/krb5.conf /etc/krb5.conf.bak.

2. Edit /etc/krb5.conf, removing the keyword "RC4-HMAC" from the lines configuring default_tgs_enctypes, default_tkt_enctypes, and preferred_enctypes. 

   For example:

   [libdefaults]
      default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
      default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
      preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC

3. Ensure the modified lines look similar to the following:
default_tgs_enctypes = AES256-CTS AES128-CTS default_tkt_enctypes = AES256-CTS AES128-CTS

4. Restart the SSSD service:
systemctl restart sssd

5. Restart the Kerberos KDC service:
systemctl restart krb5kdc