Microsoft Fixes Windows Kerberos Authentication Issues In OOB Update
Microsoft has released out-of-band optional updates to fix a known issue that causes Kerberos authentication problems on enterprise domain controllers after installing security updates released earlier this month to address CVE-2020-17049.
CVE-2020-17049 is a remotely exploitable Kerberos Constrained Delegation (KCD) security feature bypass security bug that exists in the way KDC determines if service tickets can be used for delegation.
Kerberos replaced the NTLM protocol as the default authentication protocol for domain connected devices on all Windows versions above Windows 2000.
This OOB update comes after Microsoft started investigating the Kerberos authentication issue over the weekend, on November 14.
Also Read: How To Prevent WhatsApp Hack: 7 Best Practices
Issues on impacted Windows versions
“As part of this issue, ticket renewal and other tasks, such as scheduled tasks and clustering, might fail,” Microsoft says in a Windows Message Center update.
“This issue only affects Windows Servers, and Windows 10 devices and applications in enterprise environments.”
According to Microsoft, admins might encounter the following issues writable and read-only domain controllers (DC):
- Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
- Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
- S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.
More details on potential issues that could occur after installing security updates to mitigate CVE-2020-17049 can be found on the Windows Health Dashboard.
Also Read: Key PDPA Amendments 2019/2020 You Should Know
Fix available only for some Windows versions
This OOB update can be used to mitigate the known issue on Windows Server versions 2012, 2012 R2, 2019, and 1809.
IT admins are recommended to install the optional updates on Domain Controllers only if they are affected by this known issue.
The full list of impacted platforms impacted by this issue is available in the table below, together with the cumulative updates causing the issue and the optional updates that mitigate the issue.
| Affected platforms | ||
| Server | Originating update | OOB optional update |
| Windows Server, version 20H2 | KB4586781 | N/A |
| Windows Server, version 2004 | KB4586781 | N/A |
| Windows Server, version 1909 | KB4586786 | N/A |
| Windows Server, version 1903 | KB4586786 | N/A |
| Windows Server, version 1809 | KB4586793 | KB4594442 |
| Windows Server 2019 | KB4586793 | KB4594442 |
| Windows Server 2016 | KB4586830 | N/A |
| Windows Server 2012 R2 | KB4586845 | KB4594439 |
| Windows Server 2012 | KB4586834 | KB4594438 |
The update is not available through Windows Update or Microsoft Update channels. To install it you will have to download the update packages from the Microsoft Update Catalog or use Windows Server Update Services (WSUS).
This out-of-band optional update designed to address these Kerberos authentication and ticket renewal issues will also be released for additional Windows 10 versions in the near term.
0 Comments