Active Directory Kerberos Changes (coming Feb 2023) and appropriate patches

Mike Murphy 41 Reputation points
2022-11-21T21:24:24.92+00:00

Hello,
I'm requesting some guidance / clarification on documents that initiated back in Nov 2021 & May 2022 regarding the Kerberos Distribution Center (KDC) and how it will be servicing a certificate-based authentication request with strong bindings only. After may 2023, clients will no longer be able to authenticate with a "weak" certificate mapping. I'm late to the game on this one and most of the patches mentioned will not install on my Server 2019 Test DC's or the CA. I get a dialog that this patch is not applicable to my computer. I believe I understand now using the catalog that only the latest update will install. The problem is when I install the latest relevant patch, I don't get the behavior described in the docs(such as the registry keys for StrongCertificateBindingEnforcement on domain controllers ).

Here are the articles I'm attempting to follow:
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_kdcregkey

https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-kerberos-auth-issues-in-emergency-updates/

The final article seems to suggest that patch KB5021655 should resolve all of the issues that were laid out in the previous year (for Server 2019). It also seems when Using the Microsoft Update Catalog that this patch supersedes most of the earlier patches.

My concerns are that I never did see the Registry Key on the domain controllers for StrongCertificateBindingEnforcement so I can't verify if I'm progressing correctly. I saw some of the event activity very briefly (maybe because I installed the latest patch too soon) I would also like to know if this applies to Device Certificates since we don't use User Certs.

Any guidance here is appreciated.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,085 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,822 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,717 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Dave Patrick 426K Reputation points MVP
    2022-11-22T00:46:11.573+00:00

    Something here could help.
    https://www.cisa.gov/guidance-applying-june-microsoft-patch

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. Mike Murphy 41 Reputation points
    2022-12-14T19:19:55.32+00:00

    Well,
    The bottom line appears to be that you can not install previous patches if you already have a superseding patch installed, so It seems to do no good to back trace steps. According to this unofficial post:

    https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-kerberos-auth-issues-in-emergency-updates/

    kb5021655 is supposed to fix everything, and the advise is to undue any workaround previously implemented. I think for the time being, I'm going to assume that installing this patch on Server2019 DC's takes care of all issues.

    Thanks for your responses.

    0 comments No comments