Luke Hebert lhebert at
Mon Nov 16 10:44:21 EST 2020


We've just started encountering problems at customer sites with Kerberos
enabled clients as a result of how Microsoft appears to be approaching
<>. The
details on this CVE are slim on Mitre and there is a small amount of
additional information on the microsoft portal. I thought I'd ask the list
what their thoughts are on what is being done here. Disabling service
ticket and tgt renewability is not great and it obviously breaks long
running processes that rely on renewability of these items. I'm sure we
could move to an alternate approach where we do not renew these items but
rather obtain a new one but the changes are likely non-trivial across many
different projects.

>> *How does this patch affect third-party Kerberos clients?*

>> When the registry key is set to 1, patched domain controllers will issue
service tickets and Ticket-Granting Tickets (TGT)s that are not renewable
and will refuse to renew existing service tickets and TGTs. Windows clients
are not impacted by this since they never renew service tickets or TGTs.
Third-party Kerberos clients may fail to renew service tickets or TGTs
acquired from unpatched DCs. If all DCs are patched with the registry set
to 1, third-party clients will no longer receive renewable tickets.

*--Luke Hebert* | <>

More information about the Kerberos mailing list