Temporarily allow Kerberos authentication to Windows 2003 boxes after applying November 2022 updates

BK IT Staff 246 Reputation points
2022-11-28T12:04:33.093+00:00

Please let's skip the part "what? 2003???" etc :P That's nothing into production, but I need to be able to allow communication with them for some more week if possibile.

As you know (and if I correctly understood), November updates, I think the kb5021131 in particular for this issue, set the default enc type to AES for Kerberos authentication, if not else specified for the specific account.

I traced the traffic between my Win 10 box and the Windows 2003, and I see the following (as you see etype is AES256 and 2003 does not support that):

264708-immagine.png

Then, it follows the error:

264811-immagine.png

My question is:

How can I define that just for that computer account the Enc type must be RC4? Is that possible? I was looking for the "msDS-SupportedEncryptionTypes" attribute for the computer object in AD, but it has been added starting from Windows 2008. Thank you.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,215 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,778 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2022-11-28T14:33:12.8+00:00

4 additional answers

Sort by: Most helpful
  1. Anonymous
    2022-11-29T14:08:53.993+00:00

    You may need to upgrade the operating system to something supported.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. Anonymous
    2022-11-29T14:38:15.167+00:00

  3. Anonymous
    2022-12-02T18:49:56.127+00:00

    The settings here are all there is to work with regarding KB5021131
    https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

  4. ToddN0510 0 Reputation points
    2023-04-05T13:04:57.11+00:00

    Did you successfully figure out how to authenticate your 2003 servers?
    We have two 2003 servers in our environment that cannot be upgraded any time soon as they run essential software that isn't compatible with newer operating systems. Each time we have attempted to update our domain controllers since the November 2022 update, we lose connection to the 2003 servers and need to revert the domain controllers.