Knowledgebase: Azure AD Connect’s Seamless SSO breaks when you disable RC4_HMAC_MD5

Reading Time: 2 minutes

Cryptography and Information Security

It’s a recommended practice to disable weak ciphers and encryption algorithms. Some standards require this. As technology evolves, the list of available ciphers and their priority in encryption negotiations changes. This limits the risk of losing confidentiality on communications between systems, applications and (cloud) services.

While you’ve probably heard of disabling 3DES and all versions of SSL, one other recommendation rears its ugly head: disable RC4_HMAC_MD5.

 

About RC4_HMAC_MD5

RC4_HMAC_MD5 means it’s Ron Rivest’s stream Cipher 4 (RC4) with Hashed Message Authentication Code (HMAC) using the Message-Digest algorithm 5 (MD5) checksum function.

When Microsoft released Windows 2000 Server and Active Directory, Microsoft supported backward compatibility with Windows NT and Windows 95. This support entailed support for different clients and enable them to communicate using Kerberos. The easy way to do this was to use the NTLM password hash as the Kerberos RC4 encryption private key used to encrypt/sign Kerberos tickets. Because of this, RC4_HMAC_MD5 takes center stage in several Kerberos attacks, including Kerberoasting.

 

How to disable RC4_HMAC_MD5 in Active Directory

Follow these steps to disable RC4_HMAC_MD5 in Active Directory:

  1. Sign in with an account that is a member of the Domain Admins group of the Active Directory domain for which you want to disable RC4_HMAC_MD5.
  2. Open the Group Policy Management Console (gpmc.msc).
  3. In the left navigation pane, browse to the Default Domain Controllers Group Policy object.
  4. Right-click the object and select Edit… from the context menu.
  5. Navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies and then Security Options,.
  6. Select the Network Security: Configure encryption types allowed for Kerberos group policy setting.
  7. Double-click the setting to edit it.
  8. Select the Define these policy settings option.
  9. In the list of available encryption types, deselect RC4_HMAC_MD5.
  10. Close the Group Policy setting.
  11. Close the Group Policy Management Console.

 

Impact

There is a situation where the above security measure impacts functionality: When you disable RC4_HMAC_MD5, Azure AD Connect will no longer be able to offer Seamless Single Sign-On (S3O).

This is made clear in the Troubleshoot Azure Active Directory Seamless Single Sign-on page. If you want Azure AD Connect’s Seamless Single Sign-on functionality to work, RC4_HMAC_MD5 will need to be available.

 

Further actions

If you would like Microsoft to address this issue in Azure AD Connect, please vote or this change on the Azure Feedback website.

 

Further reading

SSL and TLS Deployment Best Practices
RC4 in TLS is Broken: Now What?
Prioritizing Schannel Cipher Suites
Cipher Suites in TLS/SSL (Schannel SSP)
245030 How to restrict the use of certain cryptographic algorithms and protocols
How Do I Remove Legacy Ciphers (SSL2, SSL3, DES, 3DES, MD5 and RC4) on NetScaler?
A Cipher Best Practice: Configure IIS for SSL/TLS Protocol
How to disable RC4 and 3DES on Windows Server?

Posted on June 25, 2019 by Sander Berkouwer in Active Directory, Entra ID

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.