Active Directory

Active Directory Authentication updates

Hello all,

Hope this post finds you in good health and spirit.

This post is regarding to addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.

Active Directory Authentication updates

The improved authentication process in CVE-2021-42287 adds new information about the original requestor to the PACs of Kerberos Ticket-Granting Tickets (TGT). Later, when a Kerberos service ticket is generated for an account, the new authentication process will verify that the account that requested the TGT is the same account referenced in the service ticket.

After installing Windows updates dated November 9, 2021 or later, PACs will be added to the TGT of all domain accounts, even those that previously chose to decline PACs.

The initial deployment phase starts with the Windows update released on November 9, 2021.

This release: Adds protections against CVE-2021-42287

Adds support for the PacRequestorEnforcement registry value, which allows you to transition to the Enforcement phase early. Mitigation consists of the installation of Windows updates on all devices that host the domain controller role and read-only domain controllers (RODCs).

April 12, 2022: Second deployment phase


The second deployment phase starts with the Windows update released on April 12, 2022. This phase removes the PacRequestorEnforcement setting of 0. Setting PacRequestorEnforcement to 0 after this update is installed will have the same effect as setting PacRequestorEnforcement to 1. The domain controllers (DCs) will be in Deployment mode.

Note This phase is not necessary if PacRequestorEnforcement was never set to 0 in your environment. This phase helps ensure that customers that set PacRequestorEnforcement to 0move to setting 1 before the Enforcement phase.

Note This update assumes that all domain controllers are updated with the November 9, 2021 or later Windows update.

July 12, 2022: Enforcement phase


The July 12, 2022 release will transition all Active Directory domain controllers into the Enforcement phase. The Enforcement phase will also remove the PacRequestorEnforcement registry key completely. As a result, Windows domain controllers that have installed the July 12, 2022 update will no longer be compatible with:

  • Domain controllers that did not install the November 9, 2021 or later updates.
  • Domain controllers that installed the November 9, 2021 or later updates but have not yet installed the April 12, 2022 update ANDwho have a PacRequestorEnforcement registry value of 0.
  • However, Windows domain controllers that have installed the July 12, 2022 update will remain compatible with:
  • Windows domain controllers that have installed the July 12, 2022 or later updates
  • Window domain controllers that have installed the November 9th, 2021 or later updates and have a PacRequestorEnforcement value or either 1 or 2.

Registry key information

After installing CVE-2021-42287 protections in Windows updates released between November 9, 2021 and June 14, 2022, the following registry key will be available:

Registry subkey

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc

Value

PacRequestorEnforcement

Data type

REG_DWORD

Data

1: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, no further action is taken. Active Directory domain controllers in this mode are in the Deployment phase.

2: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, the authentication is denied. Active Directory domain controllers in this mode are in the Enforcement phase.

0: Disables the registry key. Not recommended. Active Directory domain controllers in this mode are in the Disabled phase. This value will not exist after the April 12, 2022 or later updates.

Important Setting 0 is not compatible with setting 2. Intermittent failures might occur if both settings are used within a forest. If setting 0 is used, we recommend that you transition setting 0 (Disable) to setting 1 (Deployment) for at least a week before moving to setting 2 (Enforcement mode).

Default

1 (when registry key is not set)

Is a restart required?

No

More info can be found here

https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!

Recommended content

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Group Policy Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

What is Netlogon Folder in Active Directory

How to Create Custom Attributes in Active Directory

How Can I Check the Tombstone Lifetime of My Active Directory Forest

How to Determine a Computers AD Site From the Command Line

How to Check the Active Directory Database Integrity

How to Check the Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

What is Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

How to export replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button