RC4 Deprecation Validation for Active Directory Integration

Publish Date: SOTI MobiControl
62

Summary

Microsoft is deprecating RC4 encryption for Kerberos authentication in Active Directory. Customers should validate their SOTI MobiControl deployment before disabling RC4 to confirm that authentication and enrollment workflows continue to operate correctly

Related SOTI ONE Platform Products

SOTI MobiControl

Situation

Validating MobiControl Compatibility with Microsoft's Kerberos RC4 Deprecation 

Action Required: Microsoft is deprecating RC4 encryption as part of its Kerberos hardening initiative for Active Directory environments. Organizations planning to disable RC4 should validate that the change does not impact their existing SOTI MobiControl deployment. At this time, no known product issues have been identified. Validation should be performed in a test environment to confirm that disabling RC4 does not affect SOTI MobiControl authentication, Active Directory integrations, enrollment workflows, or certificate-based authentication before applying the change in production. 

Impact:

Potential areas that require validation include:

  • Web Console authentication
  • Active Directory authentication
  • Enrollment rules using Active Directory
  • User and group lookup
  • Existing device enrollment workflows
  • Device authentication
  • Kerberos authentication events

At present, no confirmed customer impact has been identified. This validation is intended to confirm product compatibility with Microsoft's Kerberos hardening changes.

Root Cause

Microsoft is strengthening Kerberos authentication by deprecating RC4 encryption in Active Directory environments. If any SOTI MobiControl functionality or third-party integration relies on RC4-based Kerberos authentication, disabling RC4 could potentially impact authentication or enrollment-related workflows. This validation is intended to determine whether any such dependency exists. 

Resolution 

Based on our current assessment, disabling RC4 encryption as part of Microsoft's Kerberos hardening initiative is not expected to affect SOTI MobiControl, provided the Active Directory environment is configured in accordance with Microsoft's recommendations. SOTI MobiControl does not have any known dependency on RC4 for its authentication or enrollment workflows. 

Process Description

Phase 1: Baseline Validation (Before Disabling RC4)

Before disabling RC4, verify that your existing SOTI MobiControl environment is functioning as expected. Validate the following: 

  • Configure OneLogin integration with SOTI MobiControl (if applicable)
  • Verify web console login
  • Validate Active Directory integration
  • Verify enrollment rules that rely on Active Directory
  • Validate user and group lookup
  • Verify existing device enrollment workflows
  • Document the expected behavior to use as a baseline for comparison after RC4 is disabled

Phase 2: Disable RC4 in the Active Directory Environment 

After disabling RC4 in a test Active Directory environment, validate the following: 

Authentication:

  • Web console login using OneLogin (if applicable)  
  • Active Directory authentication  
  • Kerberos authentication  
  • Administrator login  

Active Directory Integration - Verify: 

  • User lookup  
  • Group lookup  
  • Directory synchronization  
  • Enrollment rule execution  

Enrollment - Validate: 

  • Enrollment rules that rely on Active Directory  
  • Existing device enrollment workflows  
  • New device enrollment  
  • Device authentication  
  • Any authentication or enrollment failures 

Phase 3: Windows Security Validation 

Review the Windows Event Viewer by navigating to: Windows Logs → Security.

Check for: 

  • Kerberos authentication failures  
  • RC4-related warnings or errors  
  • Unexpected security events or alerts  
  • Authentication audit failures  

Phase 4: Kerberos Certificate Mapping (If Required)

If certificate-based authentication issues related to Kerberos are observed after disabling RC4, Microsoft recommends reviewing the certificate mapping configuration. If applicable, configure the following registry value: 

Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL  

Registry Value: CertificateMappingMethods  

Type: DWORD  

Value: 00000000  

After applying the change: 

  1. Restart the affected services, or reboot the server if required.  
  2. Repeat the authentication and enrollment validation steps described above.  
  3. Verify that certificate-based authentication and device enrollment continue to function as expected. 

Was this helpful?