Microsoft is working on a fix for a bug in last week’s patch for a bypass vulnerability in the Kerberos Key Distribution Center (KDC) security feature.
Kerberos is a client-server authentication protocol used on multiple operating systems, including Windows. Microsoft attempted to fix a bypass in the Kerberos KDC, a feature that handles tickets for encrypting messages between a server and client.
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
“After installing KB4586786 on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues,” Microsoft notes in its known issues page for all supported version of Windows 10.
“This is caused by an issue in how CVE-2020-17049 was addressed in these updates.”
The buggy patch only affects Windows Servers, Windows 10 devices and applications in enterprise environments, according to Microsoft.
Microsoft addressed the vulnerability by changing how the KDC validates service tickets used with the Kerberos Constrained Delegation (KCD) because there was a bypass issue in the way KDC determines if a service token can be used for KCD delegation.
Microsoft explains there are three registry setting values – 0, 1, and 2 – for PerformTicketSignature to control it, but admins might encounter different issues with each setting.
“Setting the value to 0 might cause authentication issues when using S4U scenarios, such as scheduled tasks, clustering, and services for example line-of-business applications,” Microsoft states.
Additionally, the default value setting of 1 might cause non-Windows clients authenticating to Windows Domains using Kerberos to experience authentication issues.
With that setting, admins could also see failures in “cross-realm referrals” on Windows and non-Windows devices for Kerberos referral tickets passing through DCs that haven’t got the Patch Tuesday update.
“We are working on a resolution and will provide an update as soon as more information is available,” Microsoft notes.
Microsoft has also revised its guidance for deploying the update. It has recommended admins locate the KDC registry subkey, and if it exists on the system, ensure that it is set to 1. Then admins need to complete the deployment to all DCs – and Read-Only DCs.
“Note that following our original guidance of using the 0 setting could cause known issues with the S4USelf feature of Kerberos. We are working to address this known issue,” it says.