Update ADSSO and Silent Activation to AES Encryption in Okta Due to RC4_HMAC_MD5 End of Life
May 1, 2026
Okta Classic Engine
Directories
Single Sign-On
All Engines
Okta Identity Engine
Overview
The RC4_HMAC_MD5 encryption method has reached End of Life (EOL) and can no longer be used for Okta Active Directory Single Sign-On (ADSSO) and Office 365 Silent Activation. Administrators must update the ADSSO service account to use the Advanced Encryption Standard (AES) encryption standard.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Active Directory Single Sign-On (ADSSO)
- Office 365 Silent Activation
Solution
What are the steps to update the ADSSO service account to use AES encryption?
Update the configuration and enable Advanced Encryption Standard (AES) encryption for Okta Kerberos authentications by modifying the Active Directory Single Sign-On (ADSSO) and Office 365 Silent Activation service account options in Active Directory.
- Open Active Directory Users and Computers on the Domain Controller.
- Find and right-click the service account.
- Choose Properties.
- Select one of the following AES checkboxes:
- This account supports Kerberos AES 128-bit encryption
- This account supports Kerberos AES 256-bit encryption
- Ensure the Use Kerberos DES encryption types for this account checkbox is cleared, as this setting overrides AES encryption.
