Kerberos change password faild after Windows update KB5008380 (CVE-2021-42287)

culater 1 Reputation point
2021-12-11T16:42:55.21+00:00

As the Windows updates KB5008380 described, Authentication updates (CVE-2021-42287) is involved in the update.

After updating KB5008380 on the domain controller with setting the registry key PacRequestorEnforcement to 2, all the password changing operations on any computers within the Active Directory will failed with the KDC_ERR_TGT_REVOKED(20) error!But before updating KB5008380, the password of the computer can be changed successfully.
156816-tgt-revoked.png

In my application programe with C language, I always call the krb5_set_password API method in MIT krb5-1.19 opensource library as RFC 4120, this Kerberos password protocol is also specified in RFC 3244.

My questions are:

  1. why does this happend after updating KB5008380 on the domain controller?
  2. Is any fileds in the krb5_set_password caller or other kerberos API caller MUST be specified after the KB5008380 update in my programe? Also means that they may not be necessory before KB5008380.
  3. Is any newly changes introduced to the [MS-PAC] or [MS-KILE] or other microsoft specification documents about this issue?

Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,575 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,684 questions
{count} votes