I have a very specific question before we deploy the November 2022 OOB patch to resolve the Kerberos deal on our DCs.
1st - I ran a klist command on a Windows box and it returns about 16 server entries. Among them I notice the KerbTicket Type is equal to RSADSI-RC4–HMAC(NT), and the Session Key matches, from the KDC Called.
My question is will the Nov ‘22 OOB patch correct/change the actual Kerberos Encryption setting on KDC tickets to the updated standard (AES), or will we have to modify that manually? We had pulled back the previous updates, and I believe our Infra Team overlooked what Kerberos was/is actually issuing. Everyone was focused on the patch and Registry entries.
2nd - We have lots of 2008 servers in our environment… none which are DCs thankfully… but can we manually adjust the encryption upwards away RC4 to avoid issues? I understand the OOB patch disables support RC4 on these and Windows 7 via the DCs. (Big concern this will break 38% of our environment that has 2008 critical apps/infra supporting). Just hoping we can choose another encryption level.
3rd - The other DCs appearing in the klist command show AES-256-CTS-HMAC-SHA1-96, as both the KerbTicket Type and Session Key, I assume those are all fine and not in harms way of the OOB patch.
Can anyone tell me if there’s a tripwire with regard to my 1st and 2nd points? I am thinking we manually need to ensure Kerberos is not handing out tickets for RC4 explicitly AFTER patching, but want to give MGT the correct info that either the OOB patch modifies the encryption setting or it merely disables RC4. Thx.
