Symptoms

Printing and scanning might fail when these devices use smart card (PIV) authentication.

Note Devices that are affected when using smart card (PIV) authentication should work as expected when using username and password authentication.

Cause

On July 13, 2021, Microsoft released hardening changes for CVE-2021-33764 This might cause this issue when you install updates released July 13, 2021 or later versions on a domain controller (DC).  The affected devices are smart card authenticating printers, scanners, and multifunction devices that don’t support either Diffie-Hellman (DH) for key-exchange during PKINIT Kerberos authentication or don’t advertise support for des-ede3-cbc ("triple DES”) during the Kerberos AS request.

Per section 3.2.1 of RFC 4556 specification, for this key exchange to work, the client has to both support and notify the key distribution center (KDC) of their support for des-ede3-cbc ("triple DES”). Clients who initiate Kerberos PKINIT with key-exchange in encryption mode but neither support nor tell the KDC that they support des-ede3-cbc ("triple DES”), will be rejected.

For printer and scanner client devices to be compliant, they must either:

  • Use Diffie-Hellman for key-exchange during PKINIT Kerberos authentication (preferred).

  • Or, both support and notify the KDC of their support for des-ede3-cbc ("triple DES”).

Next steps

If you encounter this issue with your printing or scanning devices, verify that you are using the latest firmware and drivers available for your device. If your firmware and drivers are up-to-date and you still encounter this issue, we recommend that you contact the device manufacturer. Ask whether a configuration change is required to bring the device into compliance with the hardening change for CVE-2021-33764 or if a compliant update will be made available.

If there is currently no way to bring your devices into compliance with section 3.2.1 of RFC 4556 specification as required for CVE-2021-33764, a temporary mitigation is now available while you work with your printing or scanning device manufacturer to bring your environment into compliance within the timeline below.

Important You must have your noncompliant devices updated and compliant or replaced by July 12, 2022, when the temporary mitigation will not be usable in security updates.

Important Notice

All temporary mitigation for this scenario will be removed in July 2022 and August 2022, depending on the version of Windows that you are using (see table below). There will be no further fallback option in later updates. All noncompliant devices must be identified using the audit events starting January 2022 and updated or replaced by the mitigation removal starting in late July 2022. 

After July 2022, devices which are not compliant with the RFC 4456 specification and CVE-2021-33764 will not be usable with an updated Windows device.

Target Date

Event

Applies to

July 13, 2021

Updates released with hardening changes for CVE-2021-33764. All later updates have this hardening change on by default.

Windows Server 2019

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2 SP1

Windows Server 2008 SP2

July 27, 2021

Updates released with temporary mitigation to address printing and scanning issues on noncompliant devices. Updates released on this date or later must be installed on you DC and the mitigation must be turned on through registry key using the steps below.

Windows Server 2019

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2 SP1

Windows Server 2008 SP2

July 29, 2021

Updates released with temporary mitigation to address printing and scanning issues on noncompliant devices. Updates release on this date or later must be installed on you DC and the mitigation must be turned on through registry key using the steps below.

Windows Server 2016

January 25, 2022

Updates will log audit events on Active Directory domain controllers that identify printers that are RFC-4456 incompatible printers that fail authentication once DCs install the July 2022/August 2022 or later updates.

Windows Server 2022

Windows Server 2019

February 8, 2022

Updates will log audit events on Active Directory domain controllers that identify printers that are RFC-4456 incompatible printers that fail authentication once DCs install the July 2022/August 2022 or later updates.

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2 SP1

Windows Server 2008 SP2

July 19, 2022

Optional preview update release to remove temporary mitigation to require complaint printing and scanning devices in your environment.

Windows Server 2019

August 9, 2022

Important Security update release to remove temporary mitigation to require complaint printing and scanning devices in your environment.

All updates released on this day or later will be unable to use the temporary mitigation.

Smartcard-authenticating printers and scanners must be compliant with section 3.2.1 of the RFC 4556 specification required for CVE-2021-33764 after installing these updates or later on Active Directory domain controllers

Windows Server 2019

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2 SP1

Windows Server 2008 SP2

To use the temporary mitigation in your environment, follow these steps on all domain controllers:

  1. On the domain controllers, set the temporary mitigation registry value listed below to 1 (enable) by using Registry Editor or the automation tools available in your environment.

    Note This step 1 can be done before or after steps 2 and 3.

  2. Install an update that allows the temporary mitigation available in updates released July 27, 2021 or later (below are the first updates to allow the temporary mitigation):

  3. Restart your domain controller.

Registry value for temporary mitigation:

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.

Registry subkey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Value

Allow3DesFallback

Data type

DWORD

Data

1 – Enable temporary mitigation.

0 – Enable default behavior, requiring your devices into compliance with section 3.2.1 of RFC 4556 specification.

Restart required?

No

The above registry key can be created and the value and dataset using the following command:

  • reg add HKLM\System\CurrentControlSet\Services\Kdc /v Allow3DesFallback /t REG_DWORD /d 1 /f

Auditing Events

The January 25, 2022 and February 8, 2022 Windows update will also add new event IDs to help identify affected devices.

Event Log

System

Event Type

Error

Event Source

Kdcsvc

Event ID

307

39 (Windows Server 2008 R2 SP1, Windows Server 2008 SP2)

Event Text

The Kerberos client did not supply a supported encryption type for use with the PKINIT protocol using encryption mode.

  • Client Principal Name: <Domain Name>\<Client Name>

  • Client IP Address: IPv4/IPv6

  • Client Supplied NetBIOS Name: %3

Event Log

System

Event Type

Warning

Event Source

Kdcsvc

Event ID

308

40 (Windows Server 2008 R2 SP1, Windows Server 2008 SP2)

Event Text

A nonconforming PKINIT Kerberos client authenticated to this DC. The authentication was allowed because KDCGlobalAllowDesFallBack was set. In the future, these connections will fail authentication. Identify the device and look to upgrade its Kerberos implementation

  • Client Principal Name: <Domain Name>\<Client Name>

  • Client IP Address: IPv4/IPv6

  • Client Supplied NetBIOS Name: %3

Status

Microsoft has confirmed that this is an issue in the Microsoft products that are listed in the "Applies to" section.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×