Update docs on RC4 depreciation.

[ImalshaD]

Related Issues:

• Change Default Encryption algorithms to AES from RC4 for IWA Kerbrose. product-is#28012

This pull request enhances the documentation for configuring Integrated Windows Authentication (IWA) by providing detailed guidance on setting up the krb5.conf file and explaining key Kerberos configuration properties. The update improves clarity for users configuring Kerberos environments, especially around encryption types and compatibility with Active Directory.

Kerberos configuration guidance:

• Added step-by-step instructions for editing the krb5.conf file, including default and recommended settings for different product versions, with a focus on using secure AES encryption types instead of the deprecated rc4-hmac.
• Provided detailed explanations for each property under [libdefaults] and [realms], clarifying their roles in Kerberos authentication and how they should be set for typical AD environments.
• Included a note explaining the significance of default_tkt_enctypes and default_tgs_enctypes in the Kerberos authentication flow, emphasizing the need for alignment with the KDC's permitted encryption types.
• Documented the optional permitted_enctypes property and how to use it to further restrict allowed encryption algorithms for enhanced security.

Product version-specific instructions:

• For versions 7.0.0–7.2.0, added instructions to set the Kerberos configuration file

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds Kerberos (krb5.conf) guidance to the IWA login setup instructions, including stronger default encryption type recommendations and background on key properties.

Changes:

• Documented where to find and how to update krb5.conf, including AES enctype recommendations.
• Added detailed explanations for relevant [libdefaults] / [realms] properties and permitted_enctypes.
• Added a version-gated step (7.0.0–7.2.0) to configure the JVM krb5.conf system property.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds documentation for configuring Kerberos encryption in IWA (Integrated Windows Authentication) setup, replacing weak RC4 algorithms with AES enctypes and providing version-specific JVM startup parameter configuration.

Changes

IWA Kerberos Configuration Documentation

Layer / File(s)

Summary

krb5.conf encryption upgrade and JVM startup parameter configuration en/includes/guides/authentication/enterprise-login/add-iwa-login.md

Documents how to edit krb5.conf to replace default rc4-hmac encryption types with AES-compatible enctypes in default_tkt_enctypes and default_tgs_enctypes. Covers required/optional Kerberos properties, explains enctype overlap with SPN account compatibility, introduces optional permitted_enctypes constraint for further algorithm restrictions, and provides version-conditional instructions to set the JVM -Djava.security.krb5.conf system property in wso2server.sh for IS versions 7.0.0, 7.1.0, and 7.2.0.

Possibly related issues

• Change Default Encryption algorithms to AES from RC4 for IWA Kerbrose. product-is#28012: Both changes address the same underlying configuration for IWA Kerberos enctypes, upgrading from RC4 to AES and related JVM startup parameter handling.

Suggested labels

Team/Authentication & registration

Suggested reviewers

• ThaminduR

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete. It lacks required sections such as 'Test environment' and 'Security checks' from the template, and the 'Related Issues' checkbox is unchecked.	Complete the PR description by adding the 'Test environment' section listing tested environments, and ensure all security check items are addressed with checkboxes marked appropriately.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main documentation update regarding RC4 deprecation in Kerberos configuration, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@en/includes/guides/authentication/enterprise-login/add-iwa-login.md`:
- Around line 75-110: The fenced code blocks inside the Jinja conditional
branches (the ``` java blocks within the "{% if is_version in [\"7.0.0\",
\"7.1.0\", \"7.2.0\"] %}" branch and the "{% else %}" branch) are missing
surrounding blank lines; add a single blank line before and after each fenced
code block so the opening and closing ``` fences are each separated by a blank
line from adjacent text (i.e., insert a blank line after the closing ``` in both
branches and ensure there's a blank line before the opening ``` in the else
branch as well) to fix the MD031 lint failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: e748ae1e-5340-489c-b727-fb53b26779d7

📥 Commits

Reviewing files that changed from the base of the PR and between 20699da and d3e61cd.

📒 Files selected for processing (1)

• en/includes/guides/authentication/enterprise-login/add-iwa-login.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix MD031 failures by adding blank lines around fenced blocks in both Jinja branches.

The fences opened at Line 76 and Line 97 are not surrounded by blank lines, which is causing the lint job to fail.

Suggested patch

     {% if is_version in ["7.0.0", "7.1.0", "7.2.0"] %}
+
     ``` java
     [libdefaults]
             default_realm = WSO2.COM
@@
        }
     ```
+
 
     The default configuration uses `rc4-hmac`, which is considered weak and is disabled by default in newer JDKs. Update `default_tkt_enctypes` and `default_tgs_enctypes` to use AES enctypes that are also permitted for the SPN account on your KDC. For most Active Directory environments, the following is a safe replacement:
@@
     default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
     ```
+
     {% else %}
+
     ``` java
     [libdefaults]
             default_realm = WSO2.COM
@@
        }
     ```
+
     {% endif %}

🧰 Tools

🪛 GitHub Actions: Markdown Lint / 0_lint.txt

[error] 76-76: markdownlint-cli2: MD031/blanks-around-fences - Fenced code blocks should be surrounded by blank lines. [Context: "``` java"]

🪛 GitHub Actions: Markdown Lint / lint

[error] 76-76: markdownlint-cli2/md031: Fenced code blocks should be surrounded by blank lines [Context: "``` java"].

🪛 GitHub Check: lint

[failure] 109-109: Fenced code blocks should be surrounded by blank lines
en/includes/guides/authentication/enterprise-login/add-iwa-login.md:109 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md

---

[failure] 97-97: Fenced code blocks should be surrounded by blank lines
en/includes/guides/authentication/enterprise-login/add-iwa-login.md:97 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "``` java"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md

---

[failure] 95-95: Fenced code blocks should be surrounded by blank lines
en/includes/guides/authentication/enterprise-login/add-iwa-login.md:95 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md

---

[failure] 76-76: Fenced code blocks should be surrounded by blank lines
en/includes/guides/authentication/enterprise-login/add-iwa-login.md:76 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "``` java"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/includes/guides/authentication/enterprise-login/add-iwa-login.md` around
lines 75 - 110, The fenced code blocks inside the Jinja conditional branches
(the ``` java blocks within the "{% if is_version in [\"7.0.0\", \"7.1.0\",
\"7.2.0\"] %}" branch and the "{% else %}" branch) are missing surrounding blank
lines; add a single blank line before and after each fenced code block so the
opening and closing ``` fences are each separated by a blank line from adjacent
text (i.e., insert a blank line after the closing ``` in both branches and
ensure there's a blank line before the opening ``` in the else branch as well)
to fix the MD031 lint failures.

Sources: Linters/SAST tools, Pipeline failures