Skip to content
Rush Commerce
Software & Dev3 min read

Kerberos RC4 dies July 14: patch before your logins break

Microsoft's July 14 Patch Tuesday removes the RC4 escape hatch for Kerberos (CVE-2026-20833). Service accounts still on RC4 stop authenticating.

There's a deadline coming that won't send you an email. On July 14, 2026, Microsoft's Patch Tuesday update removes the last off-switch for RC4 encryption in Kerberos — the plumbing that authenticates every user and service account on a Windows domain. If anything in your environment still leans on RC4, the failure mode isn't a warning. It's logins that stop working.

What actually happened

This is the final phase of a year-long deprecation tied to CVE-2026-20833, a flaw that let an attacker request service tickets with weak RC4 encryption and then crack a service account's password offline. Microsoft rolled the fix out in three phases: an audit phase in January 2026 (warning events, nothing blocked), an enforcement-with-rollback phase in April (domain controllers defaulted to AES, but you could still flip RC4 back on via the RC4DefaultDisablementPhase registry key), and now the permanent phase in July.

Per Microsoft's hardening guide, the July update deletes that registry key and removes audit mode entirely. AES-SHA1 becomes the only path — RC4 is gone from the Kerberos KDC except for individual accounts you've explicitly whitelisted by setting the msDS-SupportedEncryptionTypes attribute. Miss one, and that account's authentication breaks the moment the update lands.

Why it matters for your business

You might not run a domain controller. But your line-of-business apps, your file shares, your backup service, that decade-old integration nobody wants to touch — a lot of them authenticate through Active Directory, and legacy service accounts are exactly where RC4 hides. The businesses that get burned by this aren't careless; they just never audited which accounts were still negotiating RC4, because nothing forced them to. Until July 14.

The fix is boring and cheap if you do it now: pull the audit events Microsoft's earlier phases have been logging since January, find every account and app still requesting RC4, and either upgrade it to AES or explicitly flag it. Do it after the update and you're diagnosing a production outage instead of reading a report. Legacy auth is the kind of infrastructure that works right up until a vendor decides it shouldn't — and this vendor already decided.

Key takeaways

  • The July 14, 2026 Windows update is the final phase of Kerberos RC4 deprecation (CVE-2026-20833) — it removes the ability to re-enable RC4 by default
  • Service accounts, apps, or integrations still negotiating RC4 will fail to authenticate unless explicitly configured with msDS-SupportedEncryptionTypes
  • Microsoft has been logging RC4-dependency warning events since the January 2026 audit phase — that data tells you exactly what to fix
  • The operator's move: audit now and migrate to AES, or debug an authentication outage after the patch lands

Not sure what in your stack still speaks RC4? We audit the legacy auth, integrations, and service accounts small businesses forget they depend on — then fix the ones that will break before the deadline finds them. See what we do or get a pre-patch audit.

Sources: Microsoft Support — CVE-2026-20833 RC4 KDC changes, Microsoft — How to Manage RC4 Hardening (Definitive Guide).

  • #kerberos
  • #active-directory
  • #windows
  • #security
  • #patching
TR

Tommy Rush — Founder, Rush Commerce

Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More

Get The Rush Report weekly — one email, zero fluff.