Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released to address CVE-2020-17049 during this month's Patch Tuesday, on November 10.
Kerberos replaced the NTLM protocol to be the default authentication protocol for domain connected devices on all Windows versions above Windows 2000.
Authentication protocols enable authentication of users, computers, and services, making it possible for authorized services and users to access resources in a secure manner.
CVE-2020-17049 is a remotely exploitable Kerberos Constrained Delegation (KCD) security feature bypass vulnerability that exists in the way KDC determines if service tickets can be used for delegation via KCD.
Security updates behind auth issues
"After installing KB4586781 on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues," Microsoft explains.
"This is caused by an issue in how CVE-2020-17049 was addressed in these updates. As noted in CVE-2020-17049, there are three registry setting values for PerformTicketSignature to control it, but in the current implementation you might encounter different issues with each setting."
Experienced issues include authentication issues when using S4U scenarios, cross-realm referrals failures on Windows and non-Windows devices for Kerberos referral tickets, and certain non-compliant Kerberos tickets being rejected, depending on the value of the PerformTicketSignature setting.
More information on potential issues that could appear after installing security updates to mitigate CVE-2020-17049 can be found here.
The issue only impacts Windows Servers, Windows 10 devices, and vulnerable applications in enterprise environments according to Microsoft.
Impacted Windows platforms
Kerberos domain-controlled Windows devices using MIT Kerberos realms impacted by this newly acknowledged issue include both domain controllers and read-only domain controllers as explained by Microsoft.
The server platforms impacted by this issue are listed in the table below, together with the cumulative updates causing domain controllers to encounter Kerberos authentication and ticket renewal problems after installation.
| Affected platforms | |
| Server | Originating update |
| Windows Server, version 20H2 | KB4586781 |
| Windows Server, version 2004 | KB4586781 |
| Windows Server, version 1909 | KB4586786 |
| Windows Server, version 1903 | KB4586786 |
| Windows Server 2019 | KB4586793 |
| Windows Server 2016 | KB4586830 |
| Windows Server 2012 R2 | KB4586845 |
| Windows Server 2012 | KB4586834 |
Microsoft is working on a fix for this known issue and will provide an update with additional details as soon as more info is available.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now