Microsoft Confirms Kerberos Authentication Issues After Installing Last Week’s Patch
Microsoft has added a new bug in the list of Windows 10 version 20H2 known issues. Affecting Windows Servers and Windows 10 devices/applications in enterprise environments, the Windows maker said that the "domain controllers in your enterprise might encounter Kerberos authentication issues" after installing Build 19042.630 (KB4586781), which was released last week on Patch Tuesday.
The problem affects Windows 10 October 2020 Update (Server, version 20H2) along with some of the older versions of the operating system, including Windows Server versions 2004, 1909, 1903, and 1809. It also affects Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012.
The company said it's working on a resolution and "will provide an update as soon as more information is available."
Details of the Windows 10 Kerberos authentication bug
After installing KB4586781 on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues. This is caused by an issue in how CVE-2020-17049 was addressed in these updates. As noted in CVE-2020-17049, there are three registry setting values for PerformTicketSignature to control it, but in the current implementation you might encounter different issues with each setting:
- Setting the value to 0 might cause authentication issues when using S4U scenarios, such as scheduled tasks, clustering, and services for example line-of-business applications.
- The default value setting of 1 might cause non-Windows clients authenticating to Windows Domains using Kerberos to experience authentication issues.
- With setting 1, clients attempting to renew a Kerberos ticket that should be renewable on a DC updated with KB4586781 will fail to renew the Kerberos ticket if it was issued from a DC that has not installed an update released November 11, 2020 or any DC running Windows Server 2008 R2 SP1 or Windows Server 2008 SP2.
- Going from 0 to 1 might also cause this issue since there can be outstanding Kerberos tickets that are marked renewable, but will not be renewed by updated DCs.
- With the default value setting of 1, you might also have Cross realm referrals failures on Windows and non-Windows devices for Kerberos referral tickets passing through domain DCs that have not installed an update released November 11, 2020 or any DC running Windows Server 2008 R2 SP1 or Windows Server 2008 SP2. This issue might happen if domain environment is partially updated or contains at least one Windows Server 2008 R2 SP1 or Windows Server 2008 SP2.
- Setting the value to 2 is intended for enforcement mode and will create issues in an environment where not all DCs are updated because it will explicitly reject certain types of non-compliant Kerberos tickets. It should also not be used at this time if your environment contains DCs running Windows Server 2008 R2 SP1 or Windows Server 2008 SP2.
For more details, head over to this support document.