[German]It is still a few weeks until the April 2023 patchday. However, I would like to remind administrators who are responsible for updating Windows Domain Controllers about a topic in the Domain Controller area. It is about the fact that Microsoft has adjusted the certificate-based authentication for Domain Controllers (DC) via update in 2023 and disabled the possibility to disable it (in case of occurring problems) as of April 11, 2023.
Advertising
I had already pointed out looming changes to certificate-based authentication on domain controllers in January 2023 in the German article Änderungen an den Windows Sicherheitseinstellungen in 2023. Those who have still disabled the mode on the domain controller due to connection problems per registry entry will run into authentication problems from the effective date.
Now the issue has come back to my attention via Citrix the other day – Carl Stalhood points out the change in the following tweet. Because the Single Sign On (SSO) fails when trying to launch published resources and users get the error message "The username or password is incorrect".
CCitrix has summarized it again for its customers in the article FAS: Information about Microsoft KB KB5014754/CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923. However, the following information applies to all operators of Windows Domain Controllers.
- Microsoft had to address vulnerabilities CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923 via security update in August 2022 (Microsoft Security Update Summary (August 9, 2022)). A vulnerability existed that could lead to elevation of privilege when the Kerberos Distribution Center (KDC) handles a certificate-based authentication request.
- Since May 2022, the affected domain controllers have been running in a compatibility mode after installing the security update in question. The update had caused some trouble at the time.
- Until now, administrators could disable certificate-based authentication, which still relies on weak mapping, on domain controllers via registry entry. This deactivation mode will be removed by update on April 11, 2023.
- Beginning November 14, 2023, Microsoft will begin updating systems to Full Enforcement mode, to harden the systems with regard to this vulnerability. In this mode, authentication is denied if a certificate does not meet the strong (secure) association criteria and cannot be firmly assigned.
Further details may be read in Microsofts support article KB5014754: Certificate-based authentication changes on Windows domain controllers.
Advertising
