Security News > 2020 > November > Windows Kerberos authentication breaks due to security updates
Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released to address CVE-2020-17049 during this month's Patch Tuesday, on November 10.
Kerberos replaced the NTLM protocol to be the default authentication protocol for domain connected devices on all Windows versions above Windows 2000.
CVE-2020-17049 is a remotely exploitable Kerberos Constrained Delegation security feature bypass vulnerability that exists in the way KDC determines if service tickets can be used for delegation via KCD. Security updates behind auth issues.
Experienced issues include authentication issues when using S4U scenarios, cross-realm referrals failures on Windows and non-Windows devices for Kerberos referral tickets, and certain non-compliant Kerberos tickets being rejected, depending on the value of the PerformTicketSignature setting.
Kerberos domain-controlled Windows devices using MIT Kerberos realms impacted by this newly acknowledged issue include both domain controllers and read-only domain controllers as explained by Microsoft.
News URL
Related news
- Windows 10 KB5044273 update released with 9 fixes, security updates (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)
- Microsoft announces new and improved Windows 11 security features (source)
- Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-11 | CVE-2020-17049 | Incorrect Authorization vulnerability in multiple products A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD. | 6.6 |