{"id":28949,"date":"2023-03-05T00:05:12","date_gmt":"2023-03-04T23:05:12","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=28949"},"modified":"2023-03-23T08:13:34","modified_gmt":"2023-03-23T07:13:34","slug":"reminder-changes-to-certificate-based-authentication-for-domain-controllers-in-april-2023","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/03\/05\/reminder-changes-to-certificate-based-authentication-for-domain-controllers-in-april-2023\/","title":{"rendered":"Reminder: Changes to Certificate-Based Authentication for Domain Controllers in April 2023"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/?p=278442\" target=\"_blank\" rel=\"noopener\">German<\/a>]It is still a few weeks until the April 2023 patchday. However, I would like to remind administrators who are responsible for updating Windows Domain Controllers about a topic in the Domain Controller area. It is about the fact that Microsoft has adjusted the certificate-based authentication for Domain Controllers (DC) via update in 2023 and disabled the possibility to disable it (in case of occurring problems) as of April 11, 2023.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg09.met.vgwort.de\/na\/5f85af9f574345fb9e1bebf029c057bf\" alt=\"\" width=\"1\" height=\"1\" \/>I had already pointed out looming changes to certificate-based authentication on domain controllers in January 2023 in the German article <a href=\"https:\/\/www.borncity.com\/blog\/2023\/01\/15\/nderungen-an-den-windows-sicherheitseinstellungen-in-2023\/\">\u00c4nderungen an den Windows Sicherheitseinstellungen in 2023<\/a>. Those who have still disabled the mode on the domain controller due to connection problems per registry entry will run into authentication problems from the effective date.<\/p>\n<p>Now the issue has come back to my attention via Citrix the other day &#8211; Carl Stalhood points out the change in the following <a href=\"https:\/\/twitter.com\/cstalhood\/status\/1630336361482932225\" target=\"_blank\" rel=\"noopener\">tweet<\/a>. Because the Single Sign On (SSO) fails when trying to launch published resources and users get the error message \"The username or password is incorrect\".<\/p>\n<p><a href=\"https:\/\/twitter.com\/cstalhood\/status\/1630336361482932225\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Certificate-based authentication changes on domain controllers\" src=\"https:\/\/i.imgur.com\/XlcGJr8.png\" alt=\"Certificate-based authentication changes on domain controllers\" \/><\/a><\/p>\n<p>CCitrix has summarized it again for its customers in the article <a href=\"https:\/\/support.citrix.com\/article\/CTX479236\/fas-information-about-microsoft-kb-kb5014754cve202234691-cve202226931-and-cve202226923\" target=\"_blank\" rel=\"noopener\">FAS: Information about Microsoft KB KB5014754\/CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923<\/a>. However, the following information applies to all operators of Windows Domain Controllers.<\/p>\n<ul>\n<li>Microsoft had to address vulnerabilities CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923 via security update in August 2022 (<a href=\"https:\/\/borncity.com\/win\/2022\/08\/10\/microsoft-security-update-summary-9-august-2022\/\">Microsoft Security Update Summary (August 9, 2022)<\/a>). A vulnerability existed that could lead to elevation of privilege when the Kerberos Distribution Center (KDC) handles a certificate-based authentication request.<\/li>\n<li>Since May 2022, the affected domain controllers have been running in a compatibility mode after installing the security update in question. The update had caused some trouble at the time.<\/li>\n<li>Until now, administrators could disable certificate-based authentication, which still relies on weak mapping, on domain controllers via registry entry. This deactivation mode will be removed by update on April 11, 2023.<\/li>\n<li>Beginning November 14, 2023, Microsoft will begin updating systems to Full Enforcement mode, to harden the systems with regard to this vulnerability. In this mode, authentication is denied if a certificate does not meet the strong (secure) association criteria and cannot be firmly assigned.<\/li>\n<\/ul>\n<p>Further details may be read in Microsofts support article <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_additionalresources\" target=\"_blank\" rel=\"noopener\">KB5014754: Certificate-based authentication changes on Windows domain controllers<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]It is still a few weeks until the April 2023 patchday. However, I would like to remind administrators who are responsible for updating Windows Domain Controllers about a topic in the Domain Controller area. It is about the fact that &hellip; <a href=\"https:\/\/borncity.com\/win\/2023\/03\/05\/reminder-changes-to-certificate-based-authentication-for-domain-controllers-in-april-2023\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[69,159],"class_list":["post-28949","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-security","tag-windows-server"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/28949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=28949"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/28949\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=28949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=28949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=28949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}