On Sun, May 9, 2021 at 9:23 PM Spike White <spikewhitetx(a)gmail.com> wrote:
My understanding is that even AD 2016 will support arcfour-hmac
(even though it's deprecated and not recommended).
Correct; we are using it with Windows Server 2016.
Local company AD teams will make the decision to stop supporting
arcfour-hmac or not. (for instance, our company's team tried -- and
it broke something to do with cross-domain auth. So they reverted.)
In order to kill arcfour-hmac-md5 you must ensure that literally
*every* Kerberos principal in your AD domain has at least one of the
Kerberos encryption types enabled. Alas, that’s a high bar…