Will Safeguard Authentication Services (SAS) continue to work when Microsoft enforces support for only AES encryption type configurations? (4382243)

Will Safeguard Authentication Services (SAS) continue to work when Microsoft enforces support for only AES encryption type configurations?

As stated in Microsoft KB5073381, updated domain controllers running in Enforcement mode will only support Advanced Encryption Standard (AES) encryption type configurations. 

Will Safeguard Authentication Services (SAS) continue to work when Microsoft enforces support for only AES encryption type configurations? 

The default behavior of SAS will continue to work when encryption-type changes are enforced in Active Directory.

If Microsoft guidelines for removing RC4 have been followed, the change to Active Directory shouldn't cause any interruptions in SAS behavior.

Configurations that WILL fail when Active Directory is set to support AES only:
 
1) Only RC4 (arcfour-hmac-md5) is configured in /etc/opt/quest/vas/vas.conf
 
/etc/opt/quest/vas/vas.conf 
[libdefaults] 
default_etypes = arcfour-hmac-md5.

Any server that has default_etypes set to 'arcfour-hmac-md5' will need to be changed to 'default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5', which is the current default. 

This command will update vas.conf with the AES encryption types. 

/opt/quest/bin/vastool configure vas libdefaults default_etypes aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5

The "vastool status" script included with SAS version 6 and up will report if only older encryption types are set.

Example: 

[root@test vas]# /opt/quest/bin/vastool status
INFO: 729 /etc/opt/quest/vas/vas.conf [libdefaults] default_etypes setting set to only use older encryption types (arcfour-hmac-md5).

Script location if required: /opt/quest/libexec/vas/scripts/vas_status.sh

2) Using a keytab that only has an arcfour-hmac-md5 encoded entry.
 
Recommendations:

Follow the guidance provided by Microsoft. 

Microsoft article:
https://support.microsoft.com/en-us/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc
 
"After the Windows updates released on or after January 13, 2026, are installed, the following KSCSVC Audit event types are added to the System event log of Windows Server 2012 and later running as a domain controller."
 
And then there are 9 separate events, 201-209.
 
When looking at the new event logs, trying to find arcfour usage, these are some general guidelines:

An auth using a password will advertise the list of enc types in default_etypes. 
An auth using a keytab will advertise the enc types present in the keytab.
* arcfour being available does not mean it will or could be used by AD.