Can RC4 encryption for Kerberos-based communication be disabled?
Applies to
- ONTAP 9
- Domain Controller
Answer
- In 9.12 and above, you can disable advertising the RC4 encryption type
- In 9.11 and below, you cannot disable RC4 encryption for Kerberos-based communication
- Even when AES encryption for Kerberos-based communication is enabled on a vserver, advertising the RC4 encryption type cannot be disabled
- When AES and RC4 are both enabled, the vserver will always use AES
- Unless the client requests RC4 specifically, then RC4 is provided instead of AES
- The strongest encryption type is selected by the DC that provides the Kerberos ticket if multiple are available