Hi All,
DC’s are 2016 as is functional level.
DCs are 2016
We have a legacy systems like XP,2000,2003,2008 server.
I know everyone says to decom the old servers, but our go live to replace them is like First week of april
I have not applied the patches to our DC. I also our network security:configure encryption types allowed GPO is NOT defined.
My questions are :
1 – Lets say , when applying Microsoft’s January patch it would break the Kerberos authentication for Legacy OSes ?
2 – In ADUC, can I resolve the issue by explictly setting RC4 (0x4 (RC4_HMAC_MD5)) in msDS-SupportedEncryptionTypes for the computer objects of the target ( legacy OS) ?
3- I have noticed that when I run the script I get a report that There are 63 objects that do not have AES Keys generated. How should I interpret this?
Only is it enough password reset ? how happened computer objects ? rejoin ?
4 – Do I have to change the DefaultEncryptionType in the DCs registry settings ?
HKLM\System\CurrentControlSet\Services\KDC
Value Type: REG_DWORD
Value Name: DefaultDomainSupportedEncTypes
Value : 0x3C ( AES256_CTS_HMAC_SHA1_96_SK (Session Key))
5 – AFAIK, Support for AES256_CTS_HMAC_SHA1_96_SK (Session Key) based session keys started with Windows Vista/2008, so any legacy OS prior to this date will not support this encryption type. is it enough below reg setting for legacy OS?
Value Name: DefaultDomainSupportedEncTypes
Value : 0x3C ( AES256_CTS_HMAC_SHA1_96_SK (Session Key))
Please help me on above my qquestions.
Thank you in Advance.
Regards
Vipan
Hey , I was also looking same , help me to fix this kerberos issue permanently.
There is issue with December patch as it will impact on legacy machines. Not with Jan patch
Thank you so much , we will create gpo for RC4 encryption support.