Event details

Join us for our March 9 “Ask Microsoft Anything” chat about Windows Server updates and upgrades. We’ll cover your questions on how to stay more secure by upgrading older servers (2008 and 2012 versio...
EricStarker
Updated Mar 09, 2023
windows server
MattTheSysAdmin's avatar
MattTheSysAdmin
Brass Contributor
Mar 09, 2023

Help me with my understanding of Kerberos and its interaction with Server 2003 please (I know, they should be long dead already, but business needs yada yada yada)

We have Server 2003's that after the November patches decided to not get Kerberos tickets anymore. Well, they can pull them but they all show as (Unknown 18), meaning they are encrypted in AES256, hence they can't read them. That is except for odd exceptions where they CAN pull HOST tokens only using RC4.

We've opened tickets, but the Microsoft Support line is 'We don't support 2003', which I completely understand, but sadly I don't have the ability to just drop them.

 

Question:
Can we make the Servers stop using Kerberos for anything, and make them fall back to NTLM, instead of pulling these AES Kerberos tickets they can't use?

Or any other idea I haven't thought of? We've tried all documented workarounds, but they just don't work on 2003....

CharlieFraser's avatar
CharlieFraser
Copper Contributor
Mar 09, 2023
We fixed our that issue by turning them off the 2003 server just recently.
  • MattTheSysAdmin's avatar
    MattTheSysAdmin
    Brass Contributor
    Mar 09, 2023
    Yeah, its nice to give them this kick to actually reinforce what we've been saying! Sad it took these incidents to make them actually act, but that's people for you. Sadly we've got >200 of these damn servers clogging up my infrastructure so turning them off is a bigger project. Looking for workarounds for now so we can patch our DC's