Windows 10/Windows Server: Update KB4586781 causes issues with Kerberos DC authentication

[German]Short information for administrators in Windows 10 environments (version 2004 and 20H2), where Windows Server 2004/20H2 is already in use. Update KB4586781, released on November 10, 2020, causes issues with Kerberos authentication on domain controllers (DC) in very specific environments with mixed server versions.

In the status information for Windows 10 version 20H2 and Windows Server version 20H2, Microsoft documented in this section that it is investigating a problem with Kerberos authentication on domain controllers (DC) that is caused by update KB4586781. Microsoft says:

After installing KB4586781 on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues.

According to Microsoft's explanation, it is caused by an issue in how CVE-2020-17049  was addressed in these updates.There are three registry preference values for PerformTicketSignature to control this ticket signature In the current implementation. After you install the KB4586781 update on a DC, each setting might cause different problems:

  • Value 0: Authentication issues may occur when using S4U scenarios such as scheduled tasks, clustering and services, e.g. line-of-business applications.
  • Value 1: The default value of 1 can cause authentication problems for non-Windows clients that authenticate to Windows domains using Kerberos.
  • Value 2: The value is intended for enforcement mode and will cause issues in an environment where not all DCs are updated because certain types of non-compliant Kerberos tickets are explicitly rejected. The value should currently also not be used if the environment contains DCs with Windows Server 2008 R2 SP1 or Windows Server 2008 SP2.

Regarding the value 1, Microsoft writes that if the Domain Controller (DC) Update KB4586781 is installed, the client's attempt to renew a Kerberos ticket fails if the issuing DC is not prepared for the change. This is the case if the Kerberos ticket was issued by a DC that does not yet contain the patch from 11/10/2010. But the renewal also fails if the Kerberos ticket was issued by a DC with Windows Server 2008 R2 SP1 or Windows Server 2008 SP2.

Changing the registry value from 0 to 1 can also cause this problem, as there may be outstanding Kerberos tickets that are marked as renewable but are not renewed by updated DCs.

The default setting of 1 can also cause cross-domain referral errors on Windows and non-Windows devices for Kerberos referral tickets running through domain DCs that do not have an update released on November 11, 2020 or a DC with Windows Server 2008 R2 SP1 or Windows Server 2008 SP2 installed. This issue might occur if the domain environment is partially updated or contains at least one Windows Server 2008 R2 SP1 or Windows Server 2008 SP2.

This issue affects only Windows Server and Windows 10 systems and applications in enterprise environments if the following server variants are present and update KB4586781 is installed on a DC.

Windows Server, version 20H2; Windows Server, version 2004; Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 20121903; Windows Server, Version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012

My guess is that there are probably very few environments where Windows Server 2004 or 20H2 is already running as the domain controller (but may be mistaken). Microsoft is currently investigating this problem and wants to provide an update as soon as possible. Anyone of you affected?

This entry was posted in issue, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *