Microsoft is working on a fix for a bug in last week's patch for a bypass vulnerability in the Kerberos Key Distribution Center (KDC) security feature.
Microsoft has flagged the issue affecting systems that have installed the patch for the bug CVE-2020-17049[1], one of the 112 vulnerabilities addressed in the November 2020 Patch Tuesday update[2].
Kerberos is a client-server authentication protocol used on multiple operating systems, including Windows. Microsoft attempted to fix a bypass in the Kerberos KDC, a feature that handles tickets for encrypting messages between a server and client.
SEE: Windows 10 Start menu hacks[3] (TechRepublic Premium)
"After installing KB4586786[4] on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues," Microsoft notes in its known issues page for all supported version of Windows 10[5].
"This is caused by an issue in how CVE-2020-17049[6] was addressed in these updates."
The buggy patch only affects Windows Servers, Windows 10 devices and applications in enterprise environments, according to Microsoft.
Microsoft addressed the vulnerability by changing how the KDC validates service tickets used with the Kerberos Constrained Delegation (KCD) because there was a bypass issue in the way KDC determines if a service token can be used for KCD delegation.
Microsoft explains there are three registry setting values – 0, 1, and 2 – for PerformTicketSignature to control it, but admins might encounter different issues with each setting.
"Setting the value to 0 might cause authentication issues when using S4U scenarios, such as scheduled tasks, clustering, and services for example line-of-business applications," Microsoft states.
Additionally, the default value setting of 1 might cause non-Windows clients authenticating to Windows Domains using Kerberos to experience authentication