Prepare for macOS Sierra 10.12 with Active Directory

Learn about the requirements for using MacOS Sierra with Active Directory.

This article has been archived and is no longer updated by Apple.

These recommendations should be reviewed by your Active Directory administrators in order to determine if they are right for your organization. 
If you think that this change affects you, contact the system administrator for your institution.

Active Directory users on macOS Sierra might see a message like this when they attempt to obtain a Kerberos Ticket Granting Ticket (TGT) using the kinit command in Terminal:

Encryption type arcfour-hmac-md5(23) used for authentication is weak and will be deprecated.

If you see this message, your Active Directory domain only supports RC4 encryption for Kerberos. Because this encryption type is weak, support for RC4 encryption for Kerberos will be removed in a future version of macOS.

While macOS Sierra Active Directory clients will continue to use RC4, you should configure your Active Directory domain and forest to use AES-128 or AES-256 encryption for Kerberos in order to ensure future compatibility.

Find out if you're using AES Kerberos encryption

To confirm that you are using AES Kerberos encryption, you can use the -e flag with the kinit command to explicitly request AES encryption when obtainig a TGT. For example:

kinit -e aes128-cts-hmac-sha1-96 userprinc@TEST.EXAMPLE.COM

If this command works, your Active Directory environment supports AES-128 Kerberos encryption. If the command fails, you will see an error message:

kinit: krb5_get_init_creds: Preauth required but no preauth options send by KDC

If you see this error, your Active Directory domain doesn't support AES encryption and will be incompatible with macOS clients in the future.

Published Date: