Microsoft
Microsoft
MicrosoftSorry guys, I did not get any notification that someone replied to this blog post
N3x7y
Once the security update is installed or security updates after November 2022 are installed on your domain controllers it immediately applies the new behaviors. If you are not experiencing any issues, then there are a couple of possible situations going on.
1. If you do not limit the Kerberos Encryption types supported by the Kerberos Client (Network Security: Configure encryption types allowed for Kerberos) security setting, then the KDC is still going to be able to issue RC4 Service Tickets, but those RC4 Service Tickets WILL issue AES256 Session Keys within the Service Ticket. So if you are successfully getting Kerberos tickets from an updated domain controller then I would say that you should be fine.
2. You are not actually using Kerberos Authentication to these older resources and falling back to NTLM authentication. We did not break or not allow NTLM authentication in the environment with this patch so are you sure you are using Kerberos and not NTLM?
See above statements. If you did nothing to restrict the Kerberos Encryption types within your environment, then #1 should apply to you.
You are correct, we do not support and will not help customers to defeat the new security settings. You need to be running Modern Windows Operating systems (Windows Vista/2008 or higher) for it to support AES256 Session Keys in the Windows Kerberos Client. Keep in mind we are NOT talking about Service Tickets. Session keys are embedded within the Service Ticket. If you are having an issue with an unsupported Windows OS all we can state is to upgrade, it. If it is a 3rd party Kerberos client, I would suggest working with the vendor of that product. We have been supporting AES256 Session Keys since 2006, I would suspect that your 3rd party Kerberos client should support that as well or there should be an upgrade that can be done.