Here's a fun one. In July, a Windows security change is going to walk up to some of your SQL Server logins and quietly stop trusting them. No SQL patch. No SQL CVE. Nothing in the error log pointing at the real culprit. Connections that worked on Monday just start failing on Tuesday, and the message you get -- if you get one -- sends you off chasing the wrong thing entirely.
The change is the death of RC4 as a Kerberos fallback, tracked as CVE-2026-20833. It has been rolling out in phases all year. July is the phase with no take-backs, and the final enforcement phase arrives with the July 2026 Patch Tuesday releases.
The symptom you will actually see
This is the cruel part. The thing breaking is Kerberos ticket encryption out at the domain controller, but SQL Server doesn't know that. What lands in your lap is the same tired, generic error that has meant a hundred different things for twenty years:
Cannot generate SSPI context.
Or a login that times out. Or an app pool that starts throwing connection failures at 9:05am because that is when the service account went looking for a fresh ticket. The symptoms vary, but none of them say 'RC4' anywhere. You will burn an hour on SPNs and DNS before even looking at Kerberos.
So let's get ahead of it. First, we need to clarify what is changing and then we need to find out whether any of your instances will be impacted.
What is changing, in three dates
For roughly two decades, Active Directory handed out Kerberos tickets encrypted with RC4 as a compatibility fallback. RC4 is cryptographically weak. An attacker who can obtain an RC4-encrypted service ticket can crack the service account password offline, on their own machine, where nothing you own ever sees a failed login or account lockout. Against a weak service account password, this can happen far faster than most administrators realize. That is the entire Kerberoasting playbook, and it is exactly why MSFT is finally pulling the fallback.
CVE-2026-20833 (CVSS 5.5, information disclosure) is the staged removal of that fallback. Three milestones matter:
| Phase | What happens | Can you roll back? |
|---|---|---|
| Jan 2026 | Audit only. New System-log events warn you about at-risk tickets. RC4 still works. Nothing breaks yet. | N/A |
| Apr 2026 | KDC default flips to AES-only (0x18) for accounts with no explicit encryption type set. RC4 still allowed where explicitly configured. | Yes |
| Jul 2026 | Full enforcement. Audit mode is gone, the rollback registry key is retired, implicit RC4 fallback is removed from the KDC path for good. | No |
As of today, June 18th, the default has already flipped, but there is still an escape hatch. July takes that hatch away. After that, RC4 only works for an account where someone has gone out of their way to explicitly allow it, which is a thing you should be removing, not adding.
Why SQL Server is squarely in the blast radius
Every SQL Server using Windows Authentication over Kerberos has a Service Principal Name, the MSSQLSvc/ SPN, registered against the account running the service. That SPN is the thing a client uses to request a Kerberos ticket for your instance. Which means your SQL service account is, by definition, a Kerberoastable target -- any authenticated user in the domain can request a service ticket for that SPN. No admin rights required.
Most modern service accounts are fine. An account picks up its AES keys the moment its password is set in a domain at the Server 2008 functional level or higher -- which, since AES-SHA1 shipped with Server 2008, has been the floor for close to 18 years. The accounts that will break in July are the stragglers whose passwords predate that:
The accounts that will fail silently
An old service account explicitly pinned to RC4-only. A downlevel client or appliance that only knows how to ask for RC4. A service account whose msDS-SupportedEncryptionTypes is something legacy and nobody has touched since the box was built on Server 2008. A linked server hop where the far end is the weak link. These are the connections that worked yesterday and will not work after enforcement, with nothing in the SQL error log to tell you why.
The point is not panic. Most of your estate is probably clean. The point is that the failures are silent and the deadline is real. The July updates that flip enforcement start shipping on Patch Tuesday, July 14, and your domain controllers cross the line whenever they take that update. So you want to know now, rather than find out from a 5AM phone call the morning after your DCs patched.
Find out if you are exposed -- the SQL-native check first
Start where you live. This query tells you which sessions on an instance are riding on Kerberos right now, which is exactly the set of connections that depend on the SPN and ticket encryption that is about to be enforced.
-- Who is authenticating via Kerberos right now?
SELECT
s.session_id,
s.login_name,
c.auth_scheme, -- KERBEROS, NTLM, or SQL
c.net_transport,
c.client_net_address
FROM sys.dm_exec_connections c JOIN sys.dm_exec_sessions s
ON c.session_id = s.session_id
WHERE c.auth_scheme = 'KERBEROS'
ORDER BY s.login_name;
Anything coming back as KERBEROS is leaning on the machinery that changes in July. Here's a one-liner just for your own connection:
SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID;
This will return different values -- KERBEROS, NTLM, SQL. KERBEROS means the connection is riding the exact machinery being enforced in July. NTLM means Kerberos was not used for this connection. Sometimes that is by design -- connecting by IP instead of the FQDN, or an environment with no SPNs set -- and sometimes it points at a missing or misregistered SPN. Either way it is not in scope for July. SQL means SQL Authentication, so this change does not touch it at all.
Now go check the account itself
The sys.dm_exec_connections DMV tells you which sessions are on Kerberos. Active Directory tells you whether the service account behind them can actually negotiate AES. Find the SQL service account's SPNs and its current encryption types:
# List the MSSQLSvc SPNs registered to the service account
setspn -L DOMAIN\svc_sql
# What encryption types does AD think this account supports?
Get-ADUser -Identity 'svc_sql' -Properties 'msDS-SupportedEncryptionTypes' |
Select-Object Name, 'msDS-SupportedEncryptionTypes'
Read the result like this:
| Value | Meaning |
|---|---|
| null or 0 | No explicit setting -- inherits the domain default, which is now AES-only. Fine IF the account has AES keys. Worth confirming. |
| 4 (0x4) | RC4 explicitly allowed. This is the one to fix. |
| 24 (0x18) | AES128 + AES256. This is where you want to be. |
Checking one account's attribute only tells you about that one account. The Windows event logs on your domain controllers see everything -- clients, appliances, and downlevel boxes you might not even think about checking. There are two logs to look at, and they tell you different things.
One thing up front: these are logs on the domain controllers, not on your SQL boxes. If you do not have rights to read DC event logs -- and as a DBA you may not -- this is the part you hand to your AD team. You can open these in Event Viewer by hand, but the fastest way to filter them is PowerShell, run on the DC. The commands below are PowerShell.
Start with the Windows System Event log. The January update added new RC4 warning events here, and the DC writes one whenever it handles a ticket that will break once enforcement is complete. This pulls the most recent 50 of them:
# PowerShell, run on a domain controller
# Pulls the new RC4 warning events the January update added to the System log
Get-WinEvent -FilterHashtable @{ LogName='System'; Id=201,202,206,207 } -MaxEvents 50 |
Format-List TimeCreated, Id, Message
Each result has an event ID and a Message. All four IDs are the same family of RC4 warnings, but read 202 and 207 first -- the Message on those names a specific at-risk service account, which is exactly what you are hunting. 201 and 206 are broader warnings about the same activity, with no single account called out.
The System event log tells you what the DC flagged. The Security event log lets you watch RC4 happen in real time. Events 4768 and 4769 are the routine Kerberos ticket requests every DC logs, and each one records the cipher that was actually issued in its 'Ticket Encryption Type' field. A value of 0x17 in that field is RC4 caught in the act. This pulls recent ticket requests and keeps only the RC4 ones:
# PowerShell, run on a domain controller
# Keeps only the 4768/4769 ticket events whose encryption type is RC4 (0x17)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4768,4769 } -MaxEvents 200 |
Where-Object { $_.Message -match '0x17' } |
Format-List TimeCreated, Id, Message
In the results, the account pulling the RC4 ticket is in the Message -- the 'Account Name' field for a 4768, the service in 'Service Name' for a 4769. Any account that turns up in either query is one to fix before July.
The fix -- and whose job it is
Here is the important part: the fix lives in Active Directory, not in SQL Server. As the DBA, your job is to find the exposed SQL service account and hand the AD team a specific, actionable request. Unless you're also the AD admin, you shouldn't be running commands against the DC yourself. You want to know if this will impact you and what has to be done.
There are two pieces to the remediation, and both are AD-side:
1. Allow AES on the account. The account's msDS-SupportedEncryptionTypes attribute needs to be set to 0x18 (AES128 + AES256). For reference, that is a one-line change your AD admin would make:
# For the AD team, not the DBA -- run by AD against the service account
Set-ADUser -Identity 'svc_sql' -Replace @{ 'msDS-SupportedEncryptionTypes' = 0x18 }
2. Make sure the account has AES keys. Allowing AES does nothing if the account has no AES keys to hand out, and those keys only get generated when the password is set in a domain at the Server 2008 functional level or higher. For an account whose password has changed in recent memory, this is already done. For an account that predates AES key generation, the AD team typically resets the service account password so Active Directory can generate fresh AES keys for the account.
The password reset is the piece that reaches back into your world, so it needs to be coordinated. It is a real service account. The new password has to be updated wherever the SQL Server service uses it, the service restarted, and authentication confirmed afterward. That is a planned, change-controlled maintenance task across two teams. Do it in a lower environment first.
One anti-pattern to name and shame: Yes, you can buy yourself time by explicitly setting an account back to RC4 (0x4) -- but don't. That is putting the weak cipher back specifically so the attacker's offline crack keeps working. The whole point of July is to make that impossible by default. Fix the account properly instead of pinning it to the thing being removed.
The reason this lands now
July 14 is a genuinely rough day on the SQL calendar. SQL Server 2016 reaches end of support that day, and the Kerberos RC4 hardening moves into its enforcement phase the same month. For RC4-dependent accounts, MSFT's own framing is the right one to borrow: you have weeks, not months.
This is a calendar problem, not a fire. Calendar problems are the ones you can get in front of. Run the Kerberos query, check your service accounts, fix the stragglers, and let July be boring on the database tier.
More to Read
Microsoft Support: Manage Kerberos KDC usage of RC4 (CVE-2026-20833)
AskDS: What is going on with RC4 in Kerberos? (the at-risk event IDs)
Microsoft/Kerberos-Crypto: detection scripts on GitHub
Microsoft Learn: Detect and remediate RC4 usage in Kerberos
