Active Directory Admins: May 2022 updates may force DCs to a boot loop (AltSecID attribute set on krbtgt)

Windows[German]Today a short information for administrators of Active Directory Domain Controllers under Windows Server, who still have to apply the security updates for May 2022. I have come across the information that there is a bug that leads to nasty problems in Windows Server in certain configurations (which should not actually occur). Administrators should pay attention to the configuration of the AltSecID attribute on the krbtgt account before installing the update. If this attribute is set, a boot loop of the DC is imminent and the Active Directory is down. I'll post the information I picked up yesterday from a Windows Escalation Engineer and since on Twitter here.

In May 2022, Microsoft is keeping administrators of Windows servers that act as domain controllers to manage Active Directory on edge. First there were AD authentication failures on systems that used certain constellations (see Windows May 2022 Updates Cause AD Authentication Failure (Server, Client)). US CISA warned against installing the May 2022 updates on Windows Domain Controllers (see CISA warns against installing May 2022 updates on Windows Domain Controllers). And now a new issue in this area has come to my attention. 

A tweet, a bug, a boot loop

It was just a cryptic tweet at first, for me that came to my attention late yesterday evening. Now I compiled some more information I found here into this article.

Bug in Active Directory, keep care

The message from Ryan Ries, Windows Escalation Engineer at Microsoft: Administrators managing an Active Directory should make sure that the AltSecID attribute of the krbtgt account is not filled in before installing the May 2022 updates. This attribut should not be populated in normal cirumstances. But there is a bug, triggered by May 2022 security updates, that leads to nasty problems (crash).

Crash of LSASS when booting the server

Unfortunately, Ryan Ries does not elaborate further, and has not added anything when asked so far. But as part of the discussion on Twitter, Steve Syfuhs from Microsoft got in touch with the following note.

LSASS issues with May 2022 update on DCs

It the krbtgt account has a set the AltSecID attribute to a value, LSASS (Local Security Authority Subsystem Service) of the AD DC server in question would crash with the May 2022 security update installed. No further details are given – but Will Dormann documented it via screenshot, see the following tweet.

LSASS reboot loop

The combination that leads to this problem should not actually occur – but it does. The whole discussion by Will Dormann can be followed on Twitter. Will Dormann's server probably came back to life in a test environment after a few reboots. If anyone is affected, how do they get out of it? Another user writes about this:

If you updated all DCs you're down until Microsoft gets to your case. If you have any DCs that aren't updated just offline the problem ones until there's a fix. If you've never done a rollback of a DC, don't try it. It's been 5 years since my last one and I still have nightmares.

In a nutshell, from what I've read: If you have updated all domain controllers to the May 2022 patch level and are affected, your Active Directory is probably "down". Ryan Ries recommends those affected who have fallen into this trap to open a case with Microsoft and wait for support. The customer has to wait until his case is processed at Microsoft. Those who have not yet updated all DCs should wait until the problem is fixed. 

DC boot loop issue - open a case at MS

 

The KRBTGT Account and the AltSecID Attribute

KRBTGT is a service account used for Microsoft's implementation of Kerberos, the standard Microsoft Windows authentication protocol. KRB stands for Kerberos and TGT for Ticket Granting Ticket (see). When a domain is set up, the KRBTGT account is assigned a password. In a nutshell (see):

  • Each domain controller in an Active Directory domain runs a Kerberos Distribution Center (KDC) service that handles all Kerberos ticket requests.
  • AD uses the KRBTGT account in the AD domain for Kerberos tickets. The KRBTGT account is an account that has existed in your Active Directory environment since the initial setup.
  • Each Active Directory domain has an associated KRBTGT account that is used to encrypt and sign all Kerberos tickets for the domain.

The KRBTGT account is disabled by default and cannot be deleted or enabled in Active Directory (see). Resetting the password is only possible for domain administrators (see also these explanations and here from Microsoft).  Das Zurücksetzen des Passworts ist nur für Domain Administratoren möglich (siehe auch diese Erläuterungen und hier von Microsoft).

If I understand it correctly, the AltSecID attribute is not populated by default (see also here and here). Security expert Kevin Beaumont sums it up in this tweet.  

If this attribute is set in an environment, the person didn't know what they were doing – or the AD is compromised in a way they don't think is documented online. The May 2022 patch inadvertently shows that. Documented in a diagram, see the following tweet.

This is a quick summary of what I know. I hope that AD administrators can do something with it and that no one is really affected. Who has not yet installed the May 2022 updates, should also wait for this reason, until the whole thing is clarified.

Addendum: Just in case, I've listet the May 2022 security updates for Windows within the blog post Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update. Just check the server relevant updates you have to avoid.

Similar articles:
Microsoft Security Update Summary (May 10, 2022)
Patchday: Windows 10-Updates (May 10, 2022)
Patchday: Windows 11/Server 2022-Updates (May 10, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (May 10, 2022)

Windows May 2022 Updates Cause AD Authentication Failure (Server, Client)
CISA warns against installing May 2022 updates on Windows Domain Controllers
Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update
Windows 11: Update KB5013943 results in application error 0xc0000135
MS-Patchday wrap-up: Issues with April 2022 updates
Windows Server 2022: RDS bug (RDCB role broken) caused by KB5011497, not fixed in May 2022
Windows Update KB5012599: Microsoft plans fix for install error 0x8024200B and 0x800F0831
Windows 11: Update KB5013943 results in application error 0xc0000135

This entry was posted in issue, Update, Windows and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *