Kerberos change password faild after Windows update KB5008380 (CVE-2021-42287)

culater 1

As the Windows updates KB5008380 described, Authentication updates (CVE-2021-42287) is involved in the update.

After updating KB5008380 on the domain controller with setting the registry key PacRequestorEnforcement to 2, all the password changing operations on any computers within the Active Directory will failed with the KDC_ERR_TGT_REVOKED(20) error!But before updating KB5008380, the password of the computer can be changed successfully.

In my application programe with C language, I always call the krb5_set_password API method in MIT krb5-1.19 opensource library as RFC 4120, this Kerberos password protocol is also specified in RFC 3244.

My questions are:

why does this happend after updating KB5008380 on the domain controller?
Is any fileds in the krb5_set_password caller or other kerberos API caller MUST be specified after the KB5008380 update in my programe? Also means that they may not be necessory before KB5008380.
Is any newly changes introduced to the [MS-PAC] or [MS-KILE] or other microsoft specification documents about this issue？

Thanks.

Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee

2021-12-14T14:24:43.673+00:00

Are the AS-REQ and KPASSWD request hiting the same DC? If not, are both of them patched?
Do you have the same behavior with different values for PacRequestorEnforcement?
culater 1 Reputation point

2021-12-17T09:13:56.027+00:00

1.AS-REQ and KPASSWD request are in the same domain controller. By the way, there is ony one dc in the domain.
2. When the PacRequestorEnforcement is set to value of 0 or 1, KPASSWD will succeed. But that will failed if PacRequestorEnforcement is set to value of 2.

Share via

Kerberos change password faild after Windows update KB5008380 (CVE-2021-42287)