KB5020805, KB5021130, KB5021131 with Windows 2003 still works

ComputerHabit 946

I am working on some KB articles about upcoming Kerberos changes.

KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 - Microsoft Support
https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 - Microsoft Support
https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support
https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

The article mentions issues with Windows 2003 systems.
In lab I have setup a domain and have 2003 systems added.
I have applied all the registry changes that are to be the new "Default"

KB5020805
#enforce
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name KrbtgtFullPacSignature -Value 0X3 -PropertyType DWORD –Force
KB5021130
#Enforced
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name RequireSeal -Value 0X2 -PropertyType DWORD –Force
KB5021131
#Default
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name DefaultDomainSupportedEncTypes -Value 0X27 -PropertyType DWORD –Force

My 2003 boxes can still login.

Am I missing something or will 2003 Servers continue to work?

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

4 answers

Limitless Technology 44,391 Reputation points

2023-05-09T14:52:17.4533333+00:00

Hello ComputerHabit,

Thank you for your question and for reaching out with your question today.

If your 2003 servers are still working with Kerberos, then great. It is highly recommended that 2003 servers should be upgraded wherever possible as they are well outside of Microsoft support now.

If the reply was helpful, please don’t forget to upvote or accept as answer.
Please sign in to rate this answer.
ComputerHabit 946 Reputation points

2023-05-09T16:02:40.6566667+00:00

It's not about if they work with Kerberos, it's about the Encryption Types.

I'm asking if RC4 continues to stay in place, will Windows 2003 continue to work?

RC4 we all know is old and should be discontinued.
We also know that RC4 is default between forests.

The documentation mentions the update of signature on the Kerberos ticket. Apparently 2003 Server does not support this new signature.

Also, it doesn't understand the AD Attributes involved encryption. But I'm not certain this effects anything but system Service Accounts.

So I'm looking for solid details but I can't find them.

When does this new signature that Windows 2003 doesn't understand come into effect?

If I leave RC4 enabled can I still patch my domain controllers and 2003 systems will still work?

I'm trying to figure out WHEN things will stop working, because right now they work.

Andrea TurboZag 0 Reputation points

2023-06-21T14:03:20.23+00:00

Hi ComputerHabit,
Microsoft is ending support for RC4 encryption and defaulting to AES encryption, so Windows 2003 will stop working in an updated Active Directory environment after the full enforcement phase will be reached.
Full enforcement phase will start on July 11, 2023 (KB5021130) and from October 10, 2023 (KB5020805), as stated in these KB articles.
I can also confirm that the announced RC4 decommission is REAL, since I've run some simulations in a fully working lab environment using a Windows 2003 Server and a Windows XP client (as domain members) and 2 Windows 2016 Domain Controllers that received the November 8, 2022 updates.

I've reproduced the situation that will happen after the enforcement phase just playing with the RequireSeal, KrbtgtFullPacSignature and DefaultDomainSupportedEncTypes registry keys and I can confirm that Windows 2003 Server and Windows XP client couldn't log into domain anymore.

So if you still have older Windows 2003/XP/Vista in your environment, it's absolutely time for a refresh and you should rush to do it before the enforcement phase, otherwise you'll surely have to manage service interruptions.

You can also run this powershell script in your Domain Ccontroller to have a quick report of the AD objects that will be impacted by the RC4 encryption algorithm decommission: https://github.com/takondo/11Bchecker

I hope you'll find these information useful,
ciao!

Andrea <TurboZag>

ComputerHabit 946 Reputation points

2023-09-20T15:23:22.4333333+00:00

In lab I have

KrbtgtFullPacSignature = 3
RequireSeal = 2
DefaultDomainSupportedEncTypes = Default (0x27)

Windows 2003 systems can still login.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
ComputerHabit 946 Reputation points

2023-05-10T16:11:09.9566667+00:00

Anyone else have some details?
Please sign in to rate this answer.
Ben Slade 0 Reputation points

2023-05-24T16:02:43.1866667+00:00

I'm about to apply all those patches this weekend. I believe the are a couple of more phases to come, June/July + Oct. By Oct I think the settings will be mandatory. Not sure what the regedits do, but you maybe running in audit mode? Good luck with the changes, I am a but anxxious myself, as we tried this back in Nov and couldnt access any 2003 shares or RDP by hostname

ComputerHabit 946 Reputation points

2023-05-24T16:25:33.17+00:00

Let me know how it goes. I've read all the docs. I just can't find a definitive answer on how to verify the updates do indeed break older OS's.

ComputerHabit 946 Reputation points

2023-06-02T14:36:22.6066667+00:00

Anyone?

Andrea TurboZag 0 Reputation points

2023-06-21T14:03:53.7933333+00:00

Hi ComputerHabit,
Microsoft is ending support for RC4 encryption and defaulting to AES encryption, so Windows 2003 will stop working in an updated Active Directory environment after the full enforcement phase will be reached.
Full enforcement phase will start on July 11, 2023 (KB5021130) and from October 10, 2023 (KB5020805), as stated in these KB articles.
I can also confirm that the announced RC4 decommission is REAL, since I've run some simulations in a fully working lab environment using a Windows 2003 Server and a Windows XP client (as domain members) and 2 Windows 2016 Domain Controllers that received the November 8, 2022 updates.

I've reproduced the situation that will happen after the enforcement phase just playing with the RequireSeal, KrbtgtFullPacSignature and DefaultDomainSupportedEncTypes registry keys and I can confirm that Windows 2003 Server and Windows XP client couldn't log into domain anymore.

So if you still have older Windows 2003/XP/Vista in your environment, it's absolutely time for a refresh and you should rush to do it before the enforcement phase, otherwise you'll surely have to manage service interruptions.

You can also run this powershell script in your Domain Ccontroller to have a quick report of the AD objects that will be impacted by the RC4 encryption algorithm decommission: https://github.com/takondo/11Bchecker

I hope you'll find these information useful,
ciao!

Andrea <TurboZag>
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Talevi, Flavio 0 Reputation points

2023-07-26T17:20:39.78+00:00

i understand windows server 2008 or higher will work.

This feature KrbtgtFullPacSignature was addedd in 2022, when no more codes for windows server 2003 (windows Server 2008 and Windows 7 has ESU by that time).

i just raise a ticket with Microsoft. lets see what they will reply.
Please sign in to rate this answer.
ComputerHabit 946 Reputation points

2023-09-20T15:25:45.06+00:00

We're getting close to full enforcement time. I have updated my lab and still 2003 can login.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
ComputerHabit 946 Reputation points

2024-01-08T16:18:29.4033333+00:00

It's a new year. These changes were supposed to be in effect already.

I have a LAB with fully patched 2012 R2 DC's. Windows 2003 continues to authenticate against the domain.

So far I feel like I'm either missing something or Microsoft just blew a bunch of smoke for nothing.

I still feel like MS could have written these articles better and have been more clear.
Please sign in to rate this answer.
ComputerHabit 946 Reputation points

2024-01-08T17:32:57.1866667+00:00

I spoke too soon.

It seems I can login to the domain but accessing from a newer patched OS prevents access to things like a network share.

ComputerHabit 946 Reputation points

2024-01-08T17:36:47.1366667+00:00
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

KB5020805, KB5021130, KB5021131 with Windows 2003 still works

4 answers

Your answer