VMware vSphere

Hello everyone we get this event in the DC

The Netlogon service has created a secure channel with a client with RC4.  

 Account name: VC$ 
 Domain: hello.local 
 Account Type: Domain Member 
 Customer IP Address:  
 Negotiated Flags: 6007ffff  

For more information about why this was registered, visit https://go.microsoft.com/fwlink/?linkid=2209514.

If you encounter Event 5840, this is a sign that a client in your domain is using weak cryptography or RC4.

I have seen in the configuration file /etc/krb5.conf in the vcenter this comes up

default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC

I have looked at the kerberos ticket in the vcenter and I get Aes256 encryption and not RC4.

Ticket cache: FILE:/tmp/krb5cc_0
Default main: user@hola.local 

Valid starting Expires Service principal
01/27/2025 12:00 01/28/2025 12:00 krbtgt/hola.local @hola.local 
        Etype (encryption type): aes256-cts-hmac-sha1-96

I understand that I don't have to do anything since the vcenter account is already encrypting in AES256 and not RC4. 
Or do I have to do something else?

Thanks in advance

Hello everyone we get this event in the DC

The Netlogon service has created a secure channel with a client with RC4.  

 Account name: VC$ 
 Domain: hello.local 
 Account Type: Domain Member 
 Customer IP Address:  
 Negotiated Flags: 6007ffff  

For more information about why this was registered, visit https://go.microsoft.com/fwlink/?linkid=2209514.

If you encounter Event 5840, this is a sign that a client in your domain is using weak cryptography or RC4.

I have seen in the configuration file /etc/krb5.conf in the vcenter this comes up

default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC

I have looked at the kerberos ticket in the vcenter and I get Aes256 encryption and not RC4.

Ticket cache: FILE:/tmp/krb5cc_0
Default main: user@hola.local 

Valid starting Expires Service principal
01/27/2025 12:00 01/28/2025 12:00 krbtgt/hola.local @hola.local 
        Etype (encryption type): aes256-cts-hmac-sha1-96

I understand that I don't have to do anything since the vcenter account is already encrypting in AES256 and not RC4. 
Or do I have to do something else?

Thanks in advance

Hello everyone we get this event in the DC

The Netlogon service has created a secure channel with a client with RC4.  

 Account name: VC$ 
 Domain: hello.local 
 Account Type: Domain Member 
 Customer IP Address:  
 Negotiated Flags: 6007ffff  

For more information about why this was registered, visit https://go.microsoft.com/fwlink/?linkid=2209514.

If you encounter Event 5840, this is a sign that a client in your domain is using weak cryptography or RC4.

I have seen in the configuration file /etc/krb5.conf in the vcenter this comes up

default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC

I have looked at the kerberos ticket in the vcenter and I get Aes256 encryption and not RC4.

Ticket cache: FILE:/tmp/krb5cc_0
Default main: user@hola.local 

Valid starting Expires Service principal
01/27/2025 12:00 01/28/2025 12:00 krbtgt/hola.local @hola.local 
        Etype (encryption type): aes256-cts-hmac-sha1-96

I understand that I don't have to do anything since the vcenter account is already encrypting in AES256 and not RC4. 
Or do I have to do something else?

Thanks in advance

Can you please advise the version and build number of your vCenter?

Hello everyone we get this event in the DC

The Netlogon service has created a secure channel with a client with RC4.  

 Account name: VC$ 
 Domain: hello.local 
 Account Type: Domain Member 
 Customer IP Address:  
 Negotiated Flags: 6007ffff  

For more information about why this was registered, visit https://go.microsoft.com/fwlink/?linkid=2209514.

If you encounter Event 5840, this is a sign that a client in your domain is using weak cryptography or RC4.

I have seen in the configuration file /etc/krb5.conf in the vcenter this comes up

default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC

I have looked at the kerberos ticket in the vcenter and I get Aes256 encryption and not RC4.

Ticket cache: FILE:/tmp/krb5cc_0
Default main: user@hola.local 

Valid starting Expires Service principal
01/27/2025 12:00 01/28/2025 12:00 krbtgt/hola.local @hola.local 
        Etype (encryption type): aes256-cts-hmac-sha1-96

I understand that I don't have to do anything since the vcenter account is already encrypting in AES256 and not RC4. 
Or do I have to do something else?

Thanks in advance

Hello everyone we get this event in the DC

The Netlogon service has created a secure channel with a client with RC4.  

 Account name: VC$ 
 Domain: hello.local 
 Account Type: Domain Member 
 Customer IP Address:  
 Negotiated Flags: 6007ffff  

For more information about why this was registered, visit https://go.microsoft.com/fwlink/?linkid=2209514.

If you encounter Event 5840, this is a sign that a client in your domain is using weak cryptography or RC4.

I have seen in the configuration file /etc/krb5.conf in the vcenter this comes up

default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC

I have looked at the kerberos ticket in the vcenter and I get Aes256 encryption and not RC4.

Ticket cache: FILE:/tmp/krb5cc_0
Default main: user@hola.local 

Valid starting Expires Service principal
01/27/2025 12:00 01/28/2025 12:00 krbtgt/hola.local @hola.local 
        Etype (encryption type): aes256-cts-hmac-sha1-96

I understand that I don't have to do anything since the vcenter account is already encrypting in AES256 and not RC4. 
Or do I have to do something else?

Thanks in advance

Hello

There is already VMware article with same symptoms & description as mentioned below.

Every step & questions answered in an article. If it is relevant then please check the same. The below article applies to "VMware vCenter Server 8.0.x, VMware vCenter Server 6.x & VMware vCenter Server 7.0.x"

One of the question is answered in article as mentioned below & there are many more. 

Q:  Does vCenter use RC4 for encryption of Kerberos tickets?

Precautionary action -> Please take vCenter Snapshot & make sure backup is present already .. If you have test vCenter server then look into that as well if it is having same symptoms

https://knowledge.broadcom.com/external/article/344915/impact-of-rpc-sealing-enforcement-micros

Hello everyone we get this event in the DC

The Netlogon service has created a secure channel with a client with RC4.  

 Account name: VC$ 
 Domain: hello.local 
 Account Type: Domain Member 
 Customer IP Address:  
 Negotiated Flags: 6007ffff  

For more information about why this was registered, visit https://go.microsoft.com/fwlink/?linkid=2209514.

If you encounter Event 5840, this is a sign that a client in your domain is using weak cryptography or RC4.

I have seen in the configuration file /etc/krb5.conf in the vcenter this comes up

default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC

I have looked at the kerberos ticket in the vcenter and I get Aes256 encryption and not RC4.

Ticket cache: FILE:/tmp/krb5cc_0
Default main: user@hola.local 

Valid starting Expires Service principal
01/27/2025 12:00 01/28/2025 12:00 krbtgt/hola.local @hola.local 
        Etype (encryption type): aes256-cts-hmac-sha1-96

I understand that I don't have to do anything since the vcenter account is already encrypting in AES256 and not RC4. 
Or do I have to do something else?

Thanks in advance