Contact Sales

To contact our sales team, you can use the form below. Do not use this form for tickets or help desk, click here to create a ticket.

Synchronise and migrate users and workstation between on-prem AD, Entra ID, Google the easy way. Seamlessly Move devices between AD Joined, Hybrid and Entra Joined.
  • Create ticket
  • Home
  • Directory Synchronisation

Enabling Legacy Password Sync (RC4) on Windows Server 2025 Target Directories

How to configure Windows Server 2025 Domain Controllers to accept RC4 password hashes during Active Directory migrations.

Written by Jamie Richard

Updated at July 1st, 2026

Contact Sales

To contact our sales team, you can use the form below. Do not use this form for tickets or help desk, click here to create a ticket.

  • Getting Started
  • FAQs
  • API Documentation
  • Integrations
  • Migration Agent
  • Directory Synchronisation
  • Remote DC agent
  • Remote Password Sync Agent
  • Install and Configure
  • Support
  • Complex Expressions
+ More

Table of Contents

The Scenario The Problem: Windows Server 2025 Kerberos Hardening ⚠️ Critical Security Warning: The Risks of Enabling RC4 💡 Tip: Modern Password Sync Alternative The Solution: Re-Enabling RC4 Support Step 1: Configure the Allowed Encryption Types GPO Step 2: Set the DefaultDomainSupportedEncTypes Registry Key

The Scenario

When performing an Active Directory migration into a Windows Server 2025 environment, administrators often rely on PowerSyncPro's Legacy Password Sync feature to seamlessly transition user credentials.

Legacy Password Sync works by reading the existing NT hash (which relies on RC4 encryption) from the source Active Directory and writing it directly to the target Active Directory.


The Problem: Windows Server 2025 Kerberos Hardening

Microsoft has been aggressively deprecating the use of RC4 due to security vulnerabilities, rolling out cumulative Kerberos hardening updates that actively reject RC4-encrypted tickets.

In Windows Server 2025, RC4 encryption is disabled by default (defaulting strictly to AES-only). Because of this, if you use Legacy Password Sync to write an RC4 password hash to a Server 2025 domain controller, the synchronization will appear to complete successfully, and the password hash will be present on the target object. However, devices and users attempting to authenticate against the 2025 Domain Controllers will fail to log in because the Kerberos Key Distribution Center (KDC) will outright reject the RC4 encryption type.

⚠️ Critical Security Warning: The Risks of Enabling RC4

Explicitly re-enabling RC4 in your environment goes against Microsoft's recommended security practices and will lower the overall security posture of your domain. RC4 is a legacy cryptographic algorithm with known vulnerabilities.

Before proceeding with the steps below, we strongly advise reviewing Microsoft's official documentation: How to Manage RC4 Hardening – Definitive Guide.

 

💡 Tip: Modern Password Sync Alternative

If your security posture strictly prohibits re-enabling RC4 in your new Server 2025 environment, you cannot use Legacy Password Sync. Instead, you must use PowerSyncPro's Modern Password Sync, which securely captures and synchronizes AES/SHA hashes by installing the Remote Password Sync Agent on all source Domain Controllers.

Important Behavioral Difference: Legacy Password Sync is a "lift and shift" approach that instantly copies the existing password hash to the target. Modern Password Sync, however, intercepts new passwords in near real-time, meaning it is sync-on-change only. Users will be required to change their password in the source environment before it can be captured and synchronized to the target.

 

The Solution: Re-Enabling RC4 Support

If your migration strategy requires Legacy Password Sync and you accept the associated security risks, you must explicitly configure your target Windows Server 2025 environment to accept RC4 encryption.

This requires two separate configuration changes on your target Domain Controllers: updating a Group Policy Object (GPO) and injecting a specific KDC Registry Key.

Step 1: Configure the Allowed Encryption Types GPO

You must first update the Default Domain Controllers Policy to advertise that the domain supports RC4.

  1. Log on to a target Windows Server 2025 Domain Controller as an Administrator.
  2. Open Group Policy Management.
  3. Navigate to your target domain -> Domain Controllers -> right-click Default Domain Controllers Policy and select Edit.
  4. In the Group Policy Management Editor, navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  5. Locate the policy named Network security: Configure encryption types allowed for Kerberos.
  6. Double-click the policy to edit it. Ensure the following encryption types are checked (which sets the underlying value to 0x7FFFFFFC to support RC4):
    • RC4_HMAC_MD5
    • AES128_HMAC_SHA1
    • AES256_HMAC_SHA1
    • Future encryption types
Location of GPO in Default Domain Controllers Policy
Kerberos GPO Settings
  1. Click Apply and OK.
  2. Open an elevated command prompt and run gpupdate /force to apply the policy.

Step 2: Set the DefaultDomainSupportedEncTypes Registry Key

Even with the GPO applied, you must explicitly instruct the Kerberos service (KDC) to allow RC4 and AES session keys by modifying the registry.

Note: This registry key must be added to all Windows Server 2025 Domain Controllers in your target environment.

  1. Open the Registry Editor (regedit.exe) on your target Domain Controller.
  2. Navigate to the following path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters (Note: On older OS versions, this is typically located at HKLM\SYSTEM\CurrentControlSet\Services\Kdc).
  3. Look for the DefaultDomainSupportedEncTypes value. If it does not exist, right-click and create a new DWORD (32-bit) Value named DefaultDomainSupportedEncTypes.
  4. Double-click DefaultDomainSupportedEncTypes and set the Hexadecimal value data to 1c.
    • Setting this to 0x1C explicitly enables RC4-HMAC, AES128-CTS-HMAC-SHA1-96, and AES256-CTS-HMAC-SHA1-96.
Example DefaultDomainSupportedEncTypes Registry Key
  1. Click OK and close the Registry Editor.
  2. Restart the Domain Controller to ensure the KDC service fully initializes with the new allowed encryption types.

Once the domain controllers reboot, your users will be able to successfully authenticate against the Windows Server 2025 domain using the RC4 passwords synchronized via PowerSyncPro's Legacy Password Sync.

password synchronization

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Replication access was denied when using Legacy Password Sync
  • Windows Hello for Business (WHfB) Considerations During Migration

Subscribe to Newsletter

Drop your email in the box below to sign up. We promise to keep our updates relevant and useful – and we’ll never share your details.

PowerSyncPro's logo

PowerSyncPro is the ultimate product for easing the pain and frustration during mergers, acquisitions, divestitures, and consolidations.

Terms & Conditions

  • FAQs
  • Privacy Policy
  • Cookies
  • Anti Slavery Notice

PowerSyncPro

  • Case Studies
  • Contact sales
  • Marketplace
  • EULA

Get Connected

Room 73, Wrest House, Wrest Park, Silsoe, Bedford, England, MK45 4HR
info@powersyncpro.com

Twitter Youtube Linkedin

Expand