Symptoms

Printing and scanning might fail when these devices use smart card (PIV) authentication. 

Note: Devices that are affected when using smart card (PIV) authentication should work as expected when using username and password authentication. 

Cause

On July 13, 2021, Microsoft released hardening changes for CVE-2021-33764. This might cause this issue when you install updates released July 13, 2021 or later on a domain controller (DC).  The affected devices are smart card authenticating printers, scanners, and multifunction devices that don’t support either Diffie-Hellman (DH) for key-exchange during PKINIT Kerberos authentication or don't advertise support for des-ede3-cbc ("triple DES”) during the Kerberos AS request. Per section 3.2.1 of RFC 4556 spec, for this key exchange to work, the client has to both support and notify the key distribution center (KDC) of their support for des-ede3-cbc ("triple DES”). Clients who initiate Kerberos PKINIT with key-exchange in encryption mode but neither support nor tell the KDC that they support des-ede3-cbc ("triple DES”), will be rejected. 

For printer and scanner client devices to be compliant, they must either:

  • Use Diffie-Hellman for key-exchange during PKINIT Kerberos authentication (preferred).

  • Both support and notify the KDC of their support for des-ede3-cbc ("triple DES”).

Next steps

If you encounter this issue with your printing or scanning devices, verify that you are using the latest firmware and drivers available for your device. If your firmware and drivers are up-to-date and you still encounter this issue, we recommend that you contact the device manufacturer. Ask if a configuration change is required to bring the device into compliance with the hardening change for CVE-2021-33764 or if a compliant update will be available.

If there is currently no way to bring your devices into compliance with section 3.2.1 of RFC 4556 spec as required for CVE-2021-33764, a temporary mitigation is now available while you work with your printing or scanning device manufacturer to bring your environment into compliance within the timeline below.

Important: You must have your non-compliant devices updated and compliant or replaced by February 8, 2022, when the temporary mitigation will not be usable in security updates.

Timeline 

Target Date 

Event 

Applies to 

July 13, 2021 

Updates released with hardening changes for CVE-2021-33764. All later updates have this hardening change on by default. 

Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 SP1
Windows Server 2008 SP2

July 27, 2021 

Updates released with temporary mitigation to address printing and scanning issues on non-compliant devices.  Updates release on this date or later must be installed on you DC and the mitigation must be turned on via registry key using the steps below. 

Windows Server 2019
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 SP1
Windows Server 2008 SP2 

July 29, 2021 

Updates released with temporary mitigation to address printing and scanning issues on non-compliant devices.  Updates release on this date or later must be installed on you DC and the mitigation must be turned on via registry key using the steps below. 

Windows Server 2016

Mid-January 2022 

Optional preview update release to remove temporary mitigation to require complaint printing and scanning devices in your environment. 

Windows Server 2019

February 8, 2022 

Important Security update release to remove temporary mitigation to require complaint printing and scanning devices in your environment. All updates released on this day or later will not be able to use the temporary mitigation. Smartcard-authenticating printers and scanners must be compliant with section 3.2.1 of the RFC 4556 specification required for CVE-2021-33764 after installing these updates or later on Active Directory domain controllers 

Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 SP1
Windows Server 2008 SP2

Temporary Mitigation

To use the temporary mitigation in your environment, follow these steps on all your domain controllers:

  1. On your Domain Controllers, set the temporary mitigation registry value listed below to 1 (enable) by using the Registry Editor or the automation tools available in your environment.

    Note: This step can be done before or after steps 2 and 3. 

  2. Install an update that allows the temporary mitigation available in updates released July 27, 2021 or later (below are the first updates to allow the temporary mitigation):

  3. Restart your domain controller.

Registry value for temporary mitigation

Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. 

Registry subkey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc 

Value 

Allow3DesFallback 

Data type 

DWORD 

Data 

1 – Enable temporary mitigation. 

0 – Enable default behavior, requiring your devices into compliance with section 3.2.1 of RFC 4556 spec. 

Restart required? 

No 

The above registry key can be created and the value and data set by using the following command:  

  • reg add HKLM\System\CurrentControlSet\Services\Kdc /v Allow3DesFallback /t REG_DWORD /d 1 /f

More information

Microsoft has confirmed that this is an issue in the Microsoft products that are listed in the "Applies to" section.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×