RC4 has been deemed insecure for years. Connect-viserver will not pass thru authentication via SSPI without RC4_HMAC_MD5 being enabled. DOD STIG requirements for Windows 2016 requires that this be turned off. Please fix this.
Value Type: REG_DWORD Value: 0x7ffffff8 (2147483640)
Fix Text: Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected:
CCI: CCI-000803: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. NIST SP 800-53 :: IA-7 NIST SP 800-53A :: IA-7.1 NIST SP 800-53 Revision 4 :: IA-7
Notes: changing registry entry to 7ffffffc or adding RC4_HMAC_MD5 to the policy settings allow PowerCLI to pass thru Windows authentication via SSPI to Kerberos
This problem is outside of PowerCLI and between the AD and the operating system. You can find some ideas on how to fix it in this blog post: https://communities.vmware.com/t5/VMware-PowerCLI-Discussions/connect-viserver-not-passing-thru-user-credentials-in-Windows/m-p/1391755#M45025
This also affects server 2012 and 2019, PLEASE fix this!
STIG: V-73685
Group Title: SRG-OS-000120-GPOS-00061
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\
Value Name: SupportedEncryptionTypes
Value Type: REG_DWORD
Value: 0x7ffffff8 (2147483640)
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
NIST SP 800-53 :: IA-7
NIST SP 800-53A :: IA-7.1
NIST SP 800-53 Revision 4 :: IA-7