KB5020805, KB5021130, KB5021131 with Windows 2003 still works

ComputerHabit 826 Reputation points

I am working on some KB articles about upcoming Kerberos changes.

KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 - Microsoft Support

KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 - Microsoft Support

KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support

The article mentions issues with Windows 2003 systems.
In lab I have setup a domain and have 2003 systems added.
I have applied all the registry changes that are to be the new "Default"

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name KrbtgtFullPacSignature -Value 0X3 -PropertyType DWORD –Force
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name RequireSeal -Value 0X2 -PropertyType DWORD –Force
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name DefaultDomainSupportedEncTypes -Value 0X27 -PropertyType DWORD –Force

My 2003 boxes can still login.

Am I missing something or will 2003 Servers continue to work?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,410 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,762 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Limitless Technology 44,046 Reputation points

    Hello ComputerHabit,

    Thank you for your question and for reaching out with your question today.

    If your 2003 servers are still working with Kerberos, then great. It is highly recommended that 2003 servers should be upgraded wherever possible as they are well outside of Microsoft support now.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

  2. ComputerHabit 826 Reputation points

    Anyone else have some details?

  3. Talevi, Flavio 0 Reputation points

    i understand windows server 2008 or higher will work.

    This feature KrbtgtFullPacSignature was addedd in 2022, when no more codes for windows server 2003 (windows Server 2008 and Windows 7 has ESU by that time).

    i just raise a ticket with Microsoft. lets see what they will reply.

  4. ComputerHabit 826 Reputation points

    It's a new year. These changes were supposed to be in effect already.

    I have a LAB with fully patched 2012 R2 DC's. Windows 2003 continues to authenticate against the domain.

    So far I feel like I'm either missing something or Microsoft just blew a bunch of smoke for nothing.

    I still feel like MS could have written these articles better and have been more clear.