Microsoft on Sunday reported that after installing updates released on the most recent Patch Tuesday on Nov. 8, security teams might have issues with Kerberos authentication on Windows Servers with the Domain Controller role.
Like most other major operating systems, Microsoft uses the Kerberos protocol for authenticating service requests between trusted hosts across an untrusted network, the most obvious being the internet. Along with Microsoft Windows, Kerberos support has been built into the Apple macOS, FreeBSD, and Linux.
In a blog post, Microsoft researchers said the issue might affect any Microsoft-based Kerberos authentication in an enterprise environment. Some of the scenarios that might be affected include the following:
- The domain user sign-in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
- Remote Desktop connections using domain users might fail to connect.
- Security teams might be unable to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication might fail.
Microsoft added that Windows devices used at home by consumers or devices not part of an on-premises domain are not affected by this issue. In addition, Azure Active Directory environments that are not hybrid and do not have any on premises Active Directory servers are not affected. Microsoft is working on a resolution and estimates they will release a solution in the coming weeks.
It sounds like Microsoft made some important security hardening changes in this update, but inadvertently broke some key authentication scenarios at the same time, resulting in failed logins and failed RDP connections — even for the most recent OS versions including Windows Server 2022, said Phil Neray, vice president of cyber defense strategy at CardinalOps.
“The issues don't apply to Azure Active Directory environments that are not hybrid and don't have any on-premises Active Directory servers, but that still means they could affect the majority of organizations,” Neray said. “Waiting several weeks for a fix could be problematic, however, I'm guessing the issues are buried deep in complex code, so Microsoft is probably being conservative with their time estimate.”
Andrew Barratt, vice president at Coalfire, said migrating to Kerberos is not bulletproof — but the ramifications of breaking an authentication protocol could be very widespread. Barratt said while there are some registry hacks available that revert back to less strong encryption — that would literally be the opposite of what Microsoft was trying to achieve with the patch in the first place.
“The likelihood is this could manifest in failed authentication or failed service requests within a network and become quite tricky to troubleshoot,” Barratt said. “The other danger is that those technical support staff that get burned having to fix this may also in future ignore malware that has a similar kind of symptom.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said it’s an unfortunate fact that sometimes patches break things or introduce new vulnerabilities, and “breaking things” seems to be what has happened here for some people after deploying the latest roll out from Microsoft.
“The affected configurations appear somewhat limited, but that’s no consolation for the organizations that are experiencing this in their environment,” Parkin said. “Hopefully, Microsoft will address this issue quickly and not take the full ‘couple of weeks’ to fix the problem.”