Windows 10 update problem: We're fixing Kerberos authentication bug, says Microsoft

A Windows 10 patch could be causing authentication problems on Windows and non-Windows business devices.

Securing Windows 10 PCs: What to watch out for

Microsoft is working on a fix for a bug in last week's patch for a bypass vulnerability in the Kerberos Key Distribution Center (KDC) security feature. 

Microsoft has flagged the issue affecting systems that have installed the patch for the bug CVE-2020-17049, one of the 112 vulnerabilities addressed in the November 2020 Patch Tuesday update

Kerberos is a client-server authentication protocol used on multiple operating systems, including Windows. Microsoft attempted to fix a bypass in the Kerberos KDC, a feature that handles tickets for encrypting messages between a server and client.     

SEE: Windows 10 Start menu hacks (TechRepublic Premium)

"After installing KB4586786 on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues," Microsoft notes in its known issues page for all supported version of Windows 10.  

"This is caused by an issue in how CVE-2020-17049 was addressed in these updates."

The buggy patch only affects Windows Servers, Windows 10 devices and applications in enterprise environments, according to Microsoft. 

Microsoft addressed the vulnerability by changing how the KDC validates service tickets used with the Kerberos Constrained Delegation (KCD) because there was a bypass issue in the way KDC determines if a service token can be used for KCD delegation.

Microsoft explains there are three registry setting values – 0, 1, and 2 – for PerformTicketSignature to control it, but admins might encounter different issues with each setting. 

"Setting the value to 0 might cause authentication issues when using S4U scenarios, such as scheduled tasks, clustering, and services for example line-of-business applications," Microsoft states. 

Additionally, the default value setting of 1 might cause non-Windows clients authenticating to Windows Domains using Kerberos to experience authentication issues. 

SEE: Microsoft goes big in security bug bounties: Its $13.7m is double Google's 2019 payouts

With that setting, admins could also see failures in "cross-realm referrals" on Windows and non-Windows devices for Kerberos referral tickets passing through DCs that haven't got the Patch Tuesday update. 

"We are working on a resolution and will provide an update as soon as more information is available," Microsoft notes. 

Microsoft has also revised its guidance for deploying the update. It has recommended admins locate the KDC registry subkey, and if it exists on the system, ensure that it is set to 1. Then admins need to complete the deployment to all DCs – and Read-Only DCs.

"Note that following our original guidance of using the 0 setting could cause known issues with the S4USelf feature of Kerberos. We are working to address this known issue," it says. 

UPDATE, November 18: Microsoft has now issued an out-of-band update, KB4594442, to solve the Kerberos authentication issues.