We are using Qualysguard as our vulnerability scanner, and we are getting QID 38601, "SSL/TLS use of weak RC4 cipher". While we have created a GPO to disable RC4 on the 2008/2012 servers, we have 4 Domain Controllers that we haven't included in the GPO yet. I'm wondering if disabling RC4 on 2012 Domain Controllers will cause problems that I'm not forseeing right now.

Does someone out there have any knowledge of this through experience or otherwise?

Thanks in advance.

Hi,

As far as I know, disable RC4 cipher usage in SSL/TLS wouldnt affect Kerberos related services on Domain Controller, since Key Distribution Center (KDC) just use the available encryption type to encrypt tickets that requested from our clients with RC4_HMAC_NT.

More information for you:

Disabling RC4 Cipher KB2868725 relation to Kerberos

https://social.technet.microsoft.com/Forums/sqlserver/en-US/836eba80-a070-486d-98b2-69b6325cb40e/disabling-rc4-cipher-kb2868725-relation-to-kerberos?forum=winserversecurity

Best Regards,

Amy