Kerberos & RC4 – What It Means for SAP Customers and How Onapsis Helps
Microsoft is changing how Windows Kerberos handles RC4, an old, insecure encryption algorithm that has historically been the default service ticket encryption for user-account SPNs (the category most SAP service accounts fall into) whose msDS-SupportedEncryptionTypes attribute is unset. The final enforcement phase begins July 2026. SAP environments with service accounts in this state, and keytabs lacking AES key material, will experience broken Single Sign-On (SSO) and authentication failures.
This is not a hypothetical future risk. The rollout has already begun. SAP customers need to act now.
| ⚠ Action Required Before July 2026: Phase 2 is already live. Customers who have not migrated may be experiencing SSO issues today. |
What Is RC4 and Why Does It Matter?
RC4 is a 1980s-era encryption algorithm that has been considered cryptographically broken for years. Security researchers can crack RC4-encrypted data in hours using modern hardware.
Two places in the SAP environment where RC4 has traditionally appeared:
- Kerberos authentication: the mechanism behind ‘transparent’ SAP SSO, where users log in to their Windows workstation and get automatic access to SAP without typing a password again. RC4 was the default encryption type for Kerberos tickets.
- TLS/HTTPS communication: the encrypted channel protecting web traffic between browsers, SAP GUI, and SAP servers. RC4 can appear here as one of the available encryption cipher suites.
Both are active attack surfaces. RC4 in Kerberos enables Kerberoasting, a credential theft attack where any domain user can steal a service account’s password hash and crack it offline. RC4 in TLS enables man-in-the-middle attacks on encrypted traffic.
Microsoft Enforcement Timeline
| Phase | Date | What Changed |
| Phase 1 : Audit | January 2026 | Windows began logging every time RC4 was used. No behavior changed yet. |
| Phase 2: Default Shift | April 2026 (already in effect) | Windows domain controllers now issue AES tickets by default. SSO will break if a Windows admin disables RC4 on the Windows side and the corresponding SAP service account hasn’t been migrated to AES and Keytab is still RC4-only, meaning they have no AES keys to fall back to. |
| Phase 3: Enforcement | July 2026 | RC4 will no longer be issued under any circumstances. No exceptions without a manual override that auditors will not accept. Note: With this configuration, Kerberos will issue RC4 tickets only if explicitly configured per account using the attribute “msDS-SupportedEncryptionTypes” (same as April) |
What Breaks in SAP
If an SAP environment has not migrated its service accounts and authentication infrastructure to AES:
- SAP GUI (SNC): SSO fails. The behavior the user sees depends on how the SAP system is configured. If interactive password logon is permitted as a fallback, the user is dropped to the standard logon screen and has to enter their credentials. If the system or user is configured for SNC-only authentication (no password fallback), the user cannot log in at all until SSO is restored.
- Browser-based front-ends (Fiori, WebDynpro, WebGUI via SPNego): The SPNego handshake fails. Users lose transparent SSO and are routed to whatever fallback the system has configured, which is typically a form-based login, a SAML redirect, or an authentication error if no fallback exists.
- ABAP-to-ABAP RFC over SNC with Kerberos: Affected RFC destinations fail with the same class of authentication errors as SAP GUI. Note: most Java-based middleware uses JCo RFC with X.509 certificates, not Kerberos, and is unaffected.
- SAP HANA Kerberos SSO: Fails when the HANA service account or keytab lacks AES key material. SAP documents this scenario in its HANA SSO guidance.
- After July: All of the above become permanent. Microsoft removes the DC-level rollback (RC4DefaultDisablementPhase registry key and audit mode). Per-account fixes still work. Regenerate keytabs with AES, or explicitly re-enable RC4 on the account (not recommended), but the domain-wide undo is gone.
This affects SAP NetWeaver ABAP, SAP NetWeaver Java, S/4HANA, SAP HANA, and any integration that uses SNC with Kerberos.
The Security Risk Beyond the Deadline
Even before July, any SAP environment still using RC4 faces an active threat today.
| Kerberoasting (MITRE ATT&CK T1558.003): Any domain user can silently request an authentication ticket for an SAP service account and crack the password offline. RC4 tickets are so weak that modern hardware can attempt over one billion password guesses per second. A cracked SAP service account typically carries broad access to financial data, HR records, and system configuration. |
As of May 2026, SAP has not published a Security Note for Kerberos RC4 deprecation but it has Knowledge Base Articles (KBAs) that confirms Windows disabling RC4 and without explicit ASE-SHA1 encryption configuration, service accounts risk losing their authentication capabilities and access to protected resources. (SAP Note #3000930 & #2629070) . Microsoft’s documentation (CVE-2026-20833, KB on the January 2026 update) is the primary reference.
What Customers Need to Do
For Kerberos SSO (July 2026 Deadline)
- Audit, don’t assume. Use Microsoft’s List-AccountKeys.ps1 and Get-KerbEncryptionUsage.ps1 (Kerberos-Crypto GitHub repo) plus DC System log events 201–209 to find SAP service accounts still issuing or requesting RC4 tickets. These are the accounts at risk.
- For accounts lacking AES keys (password not reset since pre-2008 DFL): reset the password to generate AES keys. AES support itself is already on by default; no checkbox needed.
- Regenerate SAP keytabs with AES entries (ktpass /crypto AES256-SHA1 or /crypto ALL), matching the current KVNO.
- Deploy keytabs and test SAP GUI (SNC), Fiori/WebGUI (SPNego), and any ABAP-to-ABAP RFC destinations using SNC with Kerberos.
- Harden (optional but recommended): explicitly set msDS-SupportedEncryptionTypes = 0x18 (AES-only) on SAP service accounts to remove them as Kerberoasting targets, and use long passwords (25+ chars) where managed manually. gMSAs handle this automatically with 240-character auto-generated passwords.
How Onapsis Detects This: Platform Coverage
The Onapsis Platform includes three checks that directly address RC4 and weak cipher usage across the SAP TLS stack. With a simple scan Onapsis customers can identify SAP Cloud Connector, JAVA, ABAP, S/4HANA and BW systems that are at risk of being negatively impacted by this change. Customers should contact their account manager for more details. While RC4 usage in SAP’s SNC/Kerberos authentication layer falls under Windows/Active Directory configuration ownership. Onapsis Assess addresses the TLS/SSL communication layer, where RC4 is independently remediable within SAP’s control.
About the Author
