U-Tools: Unique Tools for Windows System Administrators
U-Move Help
Menu

KDC Ticket Signatures

CVE-2020-17049 disclosed a security vulnerability in the Kerberos service tickets issued by the Key Distribution Center (KDC) in Active Directory. If the ticket is not digitally signed it is possible for an attacker to tamper with the ticket when used for constrained delegation to another domain controller.

To address the security vulnerability, Microsoft added the mandatory signing of Kerberos service tickets issued by the Key Distribution Center (KDC) in an Active Directory domain controller (DC). The security update signs the Kerberos service tickets with the SHA-2 digital signature algorithm.

SHA-2 signatures for service tickets are enforced on Windows domain controllers after July 13, 2021 (KB4598347).

Important: Microsoft has announced that unsupported domain controllers "will no longer work" with supported domain controllers (KB4598347). Presumably this will happen when Windows Update is applied on or after July 13, 2021 ("mandatory enforcement phase"). It appears that this will adversely affect interoperability with other domain controllers that do not support SHA-2 or do not have the KDC fix applied. At minimum, Kerberos Constrained Delegation (KCD) for service tickets will not work. It is unclear if other network operations such as AD replication will be affected.

U-Move warns about CVE-2020-17049
U-Move version 2.7.4001 or later will warn you if it detects this situation. It will check AD configuration when you clone or upgrade Active Directory, making sure that the old domain controller and the new domain controller have the CVE-2020-17049 update and the SHA-2 update applied consistently to each DC.

To receive the warning, the backup snapshot (.BKF file) must be created by U-Move 2.7.4001 or later.

How to update Active Directory for CVE-2020-17049

Windows Server 2008 R2: Update the servicing stack, and then apply KB5001392.

Windows Server 2008: Apply KB5001332 or KB5001389.

To apply these updates you must have Extended Security Updates from Microsoft with the SHA-2 update installed.

For more information

For more information see Kerberos Constrained Delegation Overview.

U-Move for Active Directory
U-Move for Active DirectoryU-Move for Active Directory
Backing Up Active DirectoryBacking Up Active Directory
Restoring Active DirectoryRestoring Active Directory
Cloning Active DirectoryCloning Active Directory
Upgrading Active DirectoryUpgrading Active Directory
Remote Use and ScriptingRemote Use and Scripting
AD Consulting and Repair ServiceAD Consulting and Repair Service
AD Recovery ServiceAD Recovery Service
Error MessagesError Messages
Override of Warning MessagesOverride of Warning Messages
Check for Software UpdateCheck for Software Update
Duplicate Computer on NetworkDuplicate Computer on Network
Extend Your Support PlanExtend Your Support Plan
KDC Ticket SignaturesKDC Ticket Signatures
LDAP Signing Requirements for Active DirectoryLDAP Signing Requirements for Active Directory
Lingering ObjectsLingering Objects
Must Copy Internet Information ServicesMust Copy Internet Information Services
Need to Create a Global CatalogNeed to Create a Global Catalog
Need to Repair the NTDS DatabaseNeed to Repair the NTDS Database
Need License CodeNeed License Code
SHA-2 encryption: Phase out of SHA-1SHA-2 encryption: Phase out of SHA-1
USN RollbackUSN Rollback
Operation FailedOperation Failed
Fatal Internal Error: Cannot RecoverFatal Internal Error: Cannot Recover