Temporarily allow Kerberos authentication to Windows 2003 boxes after applying November 2022 updates

Question

Temporarily allow Kerberos authentication to Windows 2003 boxes after applying November 2022 updates

BK IT Staff 246

Please let's skip the part "what? 2003???" etc :P That's nothing into production, but I need to be able to allow communication with them for some more week if possibile.

As you know (and if I correctly understood), November updates, I think the kb5021131 in particular for this issue, set the default enc type to AES for Kerberos authentication, if not else specified for the specific account.

I traced the traffic between my Win 10 box and the Windows 2003, and I see the following (as you see etype is AES256 and 2003 does not support that):

Then, it follows the error:

My question is:

How can I define that just for that computer account the Enc type must be RC4? Is that possible? I was looking for the "msDS-SupportedEncryptionTypes" attribute for the computer object in AD, but it has been added starting from Windows 2008. Thank you.

Accepted answer

4 additional answers

Your answer

Answer 1

Anonymous

The registry setting described here may help.

https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25
https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb
https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

--please don't forget to upvote and Accept as answer if the reply is helpful--

BK IT Staff 246 Reputation points

2022-11-29T09:16:10.66+00:00

The keys described are domain wide.
I was asking to allow just my windows 2003 box to use old cyphers.

Answer 2

Anonymous

You may need to upgrade the operating system to something supported.

--please don't forget to upvote and Accept as answer if the reply is helpful--

BK IT Staff 246 Reputation points

2022-11-29T14:24:35.477+00:00

You may think that this could be an "exercise" for us to better understand how this encryption stuff works, no? It's obvious that is not supported, but I am on a Q&A forum, not raising a support case with MS. I would really like to better understand how to handle Kerberos ecnryption parameters, beyond the supported or not supported OS. Win 2003 supports RC4... There has to be a way to let the DCs know that for specific AD account(s) the Kerberos encryption must be RC4, not AES. Thanks for replying on the matter.

Answer 3

Anonymous

Read on here.
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos

--please don't forget to upvote and Accept as answer if the reply is helpful--

Anonymous

2022-11-30T16:19:42.933+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--
BK IT Staff 246 Reputation points

2022-12-01T11:39:31.46+00:00

Yes thank you, I already had previously gave a read to that interesting article. However, despite it states that it applies to Windows 2000 and later OSes, I cannot find that local policy ("Network security: Configure encryption types allowed for Kerberos") on my Win 2003 box. Maybe I have to find an "updated" (LoL) old .adm file and add it to "c:\windows\inf" folder...
Anonymous

2022-12-01T14:14:39.67+00:00

Sounds good, please don't forget to close up the thread by
Anonymous

2022-12-02T14:00:10.017+00:00

Just a reminder, please don't forget to close up the thread by
BK IT Staff 246 Reputation points

2022-12-02T17:05:06.14+00:00

I have some doubts, actaully one. Can you kindly clarify them? I read a lot about Kerberos Encryption settings, but there's one concept I cannot figure out.

Have the Encryption settings (DES, RC4, AES...) to be set for ALL the objects in a domain (DCs included)? In other words: I never explicitly set Encryption settings. If I want that RC4 must be mantained to communicate with a server that only support it, the "msDC-SupportedEncryptionTypes" setting has to be applied at domain level, for all the objects that need to communicate with it?

Answer 4

Anonymous

The settings here are all there is to work with regarding KB5021131
https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 5

ToddN0510 0

Did you successfully figure out how to authenticate your 2003 servers?
We have two 2003 servers in our environment that cannot be upgraded any time soon as they run essential software that isn't compatible with newer operating systems. Each time we have attempted to update our domain controllers since the November 2022 update, we lose connection to the 2003 servers and need to revert the domain controllers.

BK IT Staff 246 Reputation points

2023-04-05T13:35:15.74+00:00

Nope, my solution has been to move off from 2003. Nobody in MS wanted to help me on this (they're not so wrong in the end). Go at this site: https://syfuhs.net/kerberos-event-id-27. If you go all the way down to the latest comments, there's a chat between me and Steve Syfuhs. He is one of the MS developers in the security team. He basically said that there is no way to allow old 2003 boxes to talk with newer Windows Server boxes once you patch domain controllers with November '22 MS patches, neither by properly setting the registry keys involved in the Kerberos encryption. Now, I am pretty sure that there is a way to workaround this obstacle even after patching DCs by properly setting some reg key, but they do not want tell to avoid having "threat isles" around. I think so. If I had had a test env, I would have played with Kerberos encryption settings for sure (more for educational purposes than to actually keep going with 2003 boxes - I was already on the way of decommissioning them), but I did not want to risk playing with those settings in prod.

EDIT: I facilitate with the screenshot of the chat I mentioned above

Francesco

Share via

Temporarily allow Kerberos authentication to Windows 2003 boxes after applying November 2022 updates

4 additional answers

Your answer