Bear with me, I know this is sloppy, but here is the back story:
We have a partner that uses Jira and is using spnego with a custom auth back-end that expects certain group membership in the token. Assuming the presented token meets the requirements, the user is granted SSO access to Jira.
We have a two way non-transitive external trust from one of our child domains with this partner. Since this is an old and crusty external trust and not a selective forest trust, AD does not maintain the information necessary for Kerberos to work for anything other than interactive logons between the domains.
There is an SPN registered on their side for this service, but clients on my side cannot locate this SPN, because a Kerberos referral is not possible. This is, obviously, a problem since it causes the clients to fall back to NTLM and they don't SSO.
The proposed workaround is to make a service account on our end as well and register a SPN on our side for the same service identical to theirs. The passwords will have to be identical on each side. This will negate the need for a referral to find the appropriate SPN since we're effectively mirroring it on our side and "tricking" the clients in our child into using it rather than the proper one on their side. They are also proposing that we lower the encryption algorithm for these mirrored accounts to RC4 rather than AES.
This is where my knowledge starts to falter, I don't know why the step of lowering the encryption algorithm to RC4 is necessary. I also don't know what the security implications of it may be.
What are the implications and why can't we just stick with AES to make this work?