Microsoft investigates new known issue that causes corporate domain controllers to experience Kerberos authentication problems Patch Tuesday, November 10th.
Kerberos has replaced the NTLM protocol as the default authentication protocol for domain-connected devices on all versions of Windows above Windows 2000.
Authentication protocols allow authentication of users, computers and services, allowing authorized services and users to access resources securely.
CVE-2020-17049 is a remote exploitation capability of the Kerberos Constrained Delegation (KCD) and exists in the way KDC determines whether service credentials can be used for KCD outsourcing.
Security updates behind authorization issues
"After installing KB4586781 on domain controllers (DC) and read-only domain controllers (RODC) in your environment, you may experience authentication problems in Kerberos," explains Microsoft.
"This is due to a problem with CVE-2020-17049 in these updates. As noted in CVE-2020-17049, there are three registry setting values for PerformTicketSignature for testing, but in the current application you may experience different issues with each setting. ”
The problem only affects Windows servers, Windows 10 devices, and vulnerable applications in corporate environments, according to Microsoft.
Affected Windows platforms
Kerberos domain-controlled Windows devices that use MIT Kerberos spheres affected by this recently recognized issue include read-only domain controllers, as explained by Microsoft.
The server platforms affected by this issue are listed in the table below, along with the cumulative updates that cause domain controllers to experience problems with Kerberos authentication and post-installation ticket refresh.
|Servant||Source of information|
|Windows Server, version 20H2||KB4586781|
|Windows Server, 2004 version||KB4586781|
|Windows Server, 1909 version||KB4586786|
|Windows Server, 1903 version||KB4586786|
|Windows Server 2019||KB4586793|
|Windows Server 2016||KB4586830|
|Windows Server 2012 R2||KB4586845|
|Windows Server 2012||KB4586834|
Microsoft is working to fix this known issue and will release an update with additional details as soon as more information becomes available.