0

Kerberos Issues November 2022

The November 8, 2022 and later Windows updates address a  security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation.

This update will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already.

To help secure your environment, install the Windows update that is dated November 8, 2022 or a later Windows update to all devices, including domain controllers

These Windows updates contain updates to the Kerberos protocol, to help with recent security issues.  For example:

CVE-2022-37966

CVE-2022-37967

This was a planned change.  Information was published to help admins manage this and subsequent changes as further work is required for Kerberos.  You can review those details in articles like:

KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966

You can read the articles for the full details, but the high level summary to help protect your environment and prevent outages, we recommend that you do the following steps:

  1. UPDATE your Windows domain controllers with a Windows update released on or after November 8, 2022.

  2. MOVE your Windows domain controllers to Audit mode by using the Registry Key setting section.

  3. MONITOR events filed during Audit mode to secure your environment.

  4. ENABLE Enforcement mode to address CVE-2022-37967 in your environment

However there were some issues, and this post will note the issues experienced in the field plus an additional problem that that was observed with an AD FS server.

Update: 10-1-2023 The OOB fix noted below is present in the updates releated this month.  Please see this release announcement.

Unplanned Impact

Please take the time to read through this post How Do I Know If My AD Environment Is Impacted By The November 8th 2022 Patch? as it provides a good overview of the issue. An Out Of Band (OOB) update was released to deal with the issue introduced by the 8th November 2022 update.

Microsoft is releasing Out-of-band (OOB) updates today, November 17, 2022 and November 18, 2022 for installation on all the Domain Controllers (DCs) in affected environments. This update addresses a known issue which might cause sign in failures or other Kerberos authentication issues. You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue. If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them.

Windows Server November 2022 Update Installed - This resulted in subsequent Kerberos Issues

Out of Band Updates

The Out Of Band updates can be manually downloaded from the Microsoft Update Catalog.

Downloading Out Of Band Updates From Microsoft Update Catalog

The relevant download  links are:

Windows Server 2022 KB5021656

Windows Server 2019 KB5021655

Windows Server 2016 KB5021654

Windows Server 2012 R2 KB5021653

Windows Server 2012 KB5021652

Resources

If you are reading this as a result of issues with the November 2022 update. There are a number of resources on the Internet.  Some examples are below.

Steve Syfuhs is senior dev on the Windows team at Microsoft and has some truly outstanding content on his blog.  He has a post specifically on this issue Kerberos Event ID 27 (syfuhs.net) and the comments at the end also deserve a read.

Some posts and articles have sample queries you can run to find objects in AD DS that may have an issue.  For example this PowerShell oneliner is in the known issues section of the how to manage the Kerberos protocol change KB article.

Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x18 -and -not msDS-supportedEncryptionTypes -bor 0x7"

The How Do I Know If My AD Environment Is Impacted By The November 8th 2022 Patch has the below PowerShell excerpt:

Get-ADObject -Filter * -Properties msDS-SupportedEncryptionTypes | `
select name,objectClass,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes')}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString}} | `
select name,objectClass,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} | `
Where{-not $_.HasRC4OrIsBlank}

 

Interestingly the above did not help with the situation below.

Additional Kerberos Issue Post November 2022 OOB Update

This was an additional issue which persisted even after applying the OOB update.  The issue is reproduced below for your viewing pleasure.

The initial symptom was that AD FS authentication failed.  

AD FS Authentication Failed After Installing November 2022 Security Updates

If we look at the error details, there is some interesting additional information.

AD FS Authentication Failed - Error Details MSIS3173: Active Directory account validation failed

The full Error details: MSIS3173: Active Directory account validation failed.

There are no meaningful errors on the client.  Let’s go check the DCs .

In the DC's system event log we can see that EventID 16 is present stating that there is a Kerberos issue with the AD FS service account.

EventID 16 - While processing a TGS request for the target server HTTP/adfs.tailspintoys.ca, the account Local-1@TAILSPINTOYS.CA did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18 17 23 24 -135

The full EventID text:

While processing a TGS request for the target server HTTP/adfs.tailspintoys.ca, the account Local-1@TAILSPINTOYS.CA did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18  17  23  24  -135. The accounts available etypes were 23  18  17. Changing or resetting the password of ADFS-Service will generate a proper key.

All other authentication scenarios were fine after the OOB update.  Only AD FS had an issue.

What’s wrong with the AD FS service account?

AD FS Service Account Details

If we take a look at the ADFS-Service Account in AD DS using ADSIEdit, the msDS-SUpportedEncryptionTypes has an unexpected value of 0x2000 in hexadecimal.

Using ADSIEdit To View msDS-SUpportedEncryptionTypes

As you can see msDS-SupportedEncryptionTypes  - has a value of  0x2000.

This is hexadecimal which is 131072 decimal.  Or 0010 0000 0000 0000 0000 in binary.

Good luck trying to find that in official documenation of all the supported values [MS-KILE]: Supported Encryption Types Bit Flags | Microsoft Learn

This is an example where the cusomer at some point in the past added this value, but the reason is lost in the mist of time.

When the value was cleared and the AD FS service restarted the issue was resolved.

Provided Scripts Checking For msDS-SupportedEncryptionTypes

If we use the two provided PowerShell excerpts from earlier in this post to help scan for potential account misconfigurations, they do not catch the value present in the environment.

msDS-SupportedEncryptionTypes Not Detected

msDS-SupportedEncryptionTypes Not Detected

Checking For Unexpected msDS-SupportedEncryptionTypes Values

As you saw above, the provided PowerShell code did not find the the misconfiguration as it was so unexpected.  If we do want to check the values in PowerShell there are a few options.
A simple check for a single account could be done like this:

Get-ADUser adfs-service -Property msDS-SupportedEncryptionTypes

Get-ADUser To Check AD FS Service Account Details

I settled on the below for checking all of the accounts.  The output order was sorted to help sift through all of the accounts.  You could also export this to Excel if needed.  The sort order helps expose the outliers.

Get-ADObject -Filter {(objectClass -eq "user")} -Properties * | Select Name, msDS-SupportedEncryptionTypes | Sort msDS
-SupportedEncryptionTypes –Descending

 

Get-ADObject To Sort All User Objects msDS-SupportedEncryptionTypes By Descending Value

We could further refine the query to a particular portion of the directory with the below example where it scopes the searchbase.

Get-ADObject -SearchBase "OU=Service Accounts,DC=Tailspintoys,DC=ca" -Filter {(objectClass -eq "user")} -Properties * | Select Name, msDS-SupportedEncryptionTypes | Sort msDS-SupportedEncryptionTypes –Descending

Get-ADObject To Sort All User Objects msDS-SupportedEncryptionTypes By Descending Value With SearchBase Specified

Additional Resources

Steve's blog was aready mentioned, but he is also active on Twitter. Well worth following him!

Steve Syfuhs (@SteveSyfuhs) / Twitter

He has also discussed another note around EventID 27.

And his blog again: Steve on Security | Theoretical Headbanging (syfuhs.net)

Jerry Devore wrote a great article on Decrypting the Selection of Supported Kerberos Encryption Types

Cheers,
Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *