Microsoft has officially announced plans to deprecate the RC4 encryption algorithm used in Kerberos authentication. The algorithm, which has been in use for over three decades and is known to have serious security flaws, is expected to be phased out by mid-2026.
Rivest Cipher 4, or RC4, was developed by cryptographer Ron Rivest in 1987. Its vulnerabilities became clear after the algorithm’s design was leaked in 1994, exposing it to multiple attack techniques. Among them is Kerberoasting, which targets Kerberos deployments that rely on RC4, a configuration that has existed in Microsoft’s Active Directory since its early days.
“RC4 offered significant compatibility benefits but has long been vulnerable,” stated Matthew Palko, a Microsoft Principal Program Manager. He confirmed that by mid-2026, default RC4 support will be disabled. Windows Server Kerberos services (2008 and later) will instead default to the more robust AES-SHA1 encryption.
Domain administrators will retain the ability to manually configure RC4 for specific accounts, though Microsoft advises against using it because of the security risks.
Steve Syfuhs of Microsoft said on Bluesky that removing an encryption algorithm embedded in every Windows release for more than 25 years was a difficult task. During that time, developers mitigated RC4’s most serious flaws and gradually shifted Kerberos toward AES to reduce reliance without disrupting compatibility.
Now that the plan is locked in, Microsoft is giving organizations a way to see what still needs fixing. New PowerShell scripts can flag systems that are still using RC4 for authentication. Palko says the fix is either migrating to AES-SHA1 or upgrading Windows altogether, pointing out that Server 2003 was the last version that didn’t properly support modern AES encryption.
For years, security experts and policymakers warned that keeping outdated encryption in place was a risk waiting to happen. Democratic Senator Ron Wyden put it bluntly, calling the practice “gross cybersecurity negligence,” and many see Microsoft’s move as a long-overdue response.
RC4 continues to be supported across many software and hardware platforms outside Microsoft’s ecosystem, meaning the insecure algorithm and the systems that depend on it are likely to remain in use for years.
Maybe you would like other interesting articles?