RC4 deprecation for self-hosted Polaris customers

wesochuck · June 25, 2026, 8:47pm

Microsoft is deprecating RC4 in July 2026, which is a good thing, but if you are self-hosted and have been running Polaris for a while, you may need to take some steps to make sure the process goes smoothly for you.

Reach out to Innovative support letting them know the changes you’re planning.
1. This COULD break EVERYTHING so proceed with caution.
From a domain controller admin prompt run the following powershell (click arrow to expand)

# Import the Active Directory module to locate Domain Controllers
Import-Module ActiveDirectory

# Define the search timeframe
$StartTime = (Get-Date).AddHours(-48)

# Define output file
$OutputDirectory = "C:\Temp"
$Timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
$OutputFile = Join-Path $OutputDirectory "Kerberos-RC4-Audit-Results-$Timestamp.csv"

# Ensure output directory exists
if (-not (Test-Path $OutputDirectory)) {
    New-Item -Path $OutputDirectory -ItemType Directory -Force | Out-Null
}

Write-Host "Locating Domain Controllers in the current forest..." -ForegroundColor Cyan

# Retrieve all Domain Controllers in the current environment
$DCs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName

$CombinedResults = @()

foreach ($DC in $DCs) {
    Write-Host "Querying Domain Controller: $DC" -ForegroundColor Yellow

    # -------------------------------------------------------------------------
    # QUERY 1: System Log for KDC Hardening Events (201, 202, 203, 204)
    # -------------------------------------------------------------------------
    try {
        $SystemEvents = Get-WinEvent -ComputerName $DC -FilterHashtable @{
            LogName      = 'System'
            ProviderName = 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
            Id           = 201, 202, 203, 204
            StartTime    = $StartTime
        } -ErrorAction Stop

        foreach ($Event in $SystemEvents) {
            $CombinedResults += [PSCustomObject]@{
                DomainController = $DC
                LogSource        = "System Log"
                TimeCreated      = $Event.TimeCreated
                EventID          = $Event.Id
                TargetService    = "N/A"
                ClientIP         = "N/A"
                Message          = $Event.Message
            }
        }
    }
    catch {
        Write-Host "  -> No KDC warning/error events (201-204) found on $DC." -ForegroundColor DarkGray
    }

    # -------------------------------------------------------------------------
    # QUERY 2: Security Log for Event 4769 requesting RC4
    # TicketEncryptionType 0x17 = RC4-HMAC
    # -------------------------------------------------------------------------
    # XPath filters by:
    # - Event ID 4769
    # - TicketEncryptionType = 0x17
    # - TimeCreated within the last 48 hours
    #
    # The timediff value is in milliseconds.
    $TimeWindowMs = 48 * 60 * 60 * 1000

    $XPathQuery = @"
*[System[
    EventID=4769 and
    TimeCreated[timediff(@SystemTime) <= $TimeWindowMs]
]]
and
*[EventData[
    Data[@Name='TicketEncryptionType']='0x17'
]]
"@

    try {
        $SecurityEvents = Get-WinEvent -ComputerName $DC -LogName Security -FilterXPath $XPathQuery -ErrorAction Stop

        foreach ($Event in $SecurityEvents) {
            # Convert the raw event to XML to extract the specific payload data
            $xml = [xml]$Event.ToXml()
            $data = @{}

            foreach ($node in $xml.Event.EventData.Data) {
                $data[$node.Name] = $node.'#text'
            }

            $CombinedResults += [PSCustomObject]@{
                DomainController = $DC
                LogSource        = "Security Log"
                TimeCreated      = $Event.TimeCreated
                EventID          = $Event.Id
                TargetService    = $data['ServiceName']
                ClientIP         = $data['IpAddress']
                Message          = "Target User: $($data['TargetUserName']) | Service: $($data['ServiceName']) | Status Code: $($data['Status']) | Ticket Encryption Type: $($data['TicketEncryptionType'])"
            }
        }
    }
    catch {
        Write-Host "  -> No RC4 Kerberos Ticket requests (4769/0x17) found on $DC." -ForegroundColor DarkGray
    }
}

# Export the findings to a CSV file
if ($CombinedResults.Count -gt 0) {
    Write-Host "Queries complete. Exporting $($CombinedResults.Count) events to $OutputFile." -ForegroundColor Green

    $CombinedResults |
        Sort-Object TimeCreated -Descending |
        Export-Csv -Path $OutputFile -NoTypeInformation -Encoding UTF8

    Write-Host "Export complete: $OutputFile" -ForegroundColor Green
}
else {
    Write-Host "Queries complete. No RC4 usage or Kerberos enforcement errors were detected." -ForegroundColor Green
}

Open output file and examine for any RC4 issues related to Polaris services or accounts.
Active Directory Users and Computers → [ENTER-YOUR-polaris-services-user-account(s)] → Account tab.
5. Replace [ENTER-YOUR-polaris-services-user-account(s)] with the output from step #3.
Make sure these are not checked:
1. Use Kerberos DES encryption types for this account
2. Do not require Kerberos preauthentication
From Powershell with admin: Set-ADUser [ENTER-YOUR-polaris-services-user-account(s)] -Replace @{'msDS-SupportedEncryptionTypes'=24}
Reset the account password, you must reset the account password
1. Depending on your password policies, you may be able to reset it back to the original password.
2. If you can’t revert back to the original password, be prepared to update the password in the following locations:
  1. Run klist purge on all clients & servers
  2. Windows services
  3. IIS application pools
  4. scheduled tasks
  5. SQL services or SQL jobs
  6. Polaris/Innovative service configuration
  7. stored credentials on application servers
Restart all Polaris services and verify they’re working properly.
1. Run klist purge

Reminder, this COULD break EVERYTHING, but also, if you wait until July patch Tuesday, doing nothing could break everything too.