IWASVC Changes After Windows Update KB5082142

Description:  

Microsoft released a cumulative Windows Update on April 14, 2026 that changes the default Kerberos encryption method for the DefaultDomainSupportedEncTypes value in the Key Distribution Center (KDC). Service accounts that do not have an explicit msDS-SupportedEncryptionTypes attribute defined in Active Directory will transition from RC4 to AES128/AES256 as the new default.

https://support.microsoft.com/en-us/topic/april-14-2026-kb5082142-os-build-20348-5020-6217e03b-0ee3-488e-9f10-90a1e17e620e
 

Checking the Encryption Type:

To determine which encryption method a service account is using, check the msDS-SupportedEncryptionTypes attribute in Active Directory, or run the following PowerShell command, replacing <IWA SSO Service Account> with the appropriate service account name:

Get-ADUser -Identity <IWA SSO Service Account> -Properties msDS-SupportedEncryptionTypes | Format-List Name, msDS-SupportedEncryptionTypes

If the value is blank or shows <not set>, the account inherits the domain default. Prior to patch KB5082142, this would be RC4. After the patch, this will be AES128/AES256.
 

Resolution:

The IWASVC will be updated to correct any service accounts that have a domain.com suffix appended in the configuration, in order to accommodate the AES128/AES256 salt calculation.

If your environment does not use sAMAccountName or contains a case-sensitivity mismatch, you will need to manually re-enter the correct sAMAccountName Service Account in the datastore configuration settings.

Note: The check boxes for AES128 and AES258 bit encryption on the properties screenshot are optional.

1. If your msDS-SupportedEncryptionTypes value was 0, blank, or <not set>: 
No updates are needed to that value.

2. If your msDS-SupportedEncryptionTypes value was 8, 16, or 24 encryption method:
No updates are needed to that value.

3. If your msDS-SupportedEncryptionTypes value was 4 or 28:
Your environment may continue to use RC4 after this Windows update. SecureAuth recommends moving to AES128/AES256 (values 8, 16, or 24) as best practice.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.