UPDATED 1/20/2022

Summary

CVE-2021-42287 addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers. To exploit this vulnerability, a compromised domain account might cause the Key Distribution Center (KDC) to create a service ticket with a higher privilege level than that of the compromised account. It accomplishes this by preventing the KDC from identifying which account the higher privilege service ticket is for.

The improved authentication process in CVE-2021-42287 adds new information about the original requestor to the PACs of Kerberos Ticket-Granting Tickets (TGT). Later, when a Kerberos service ticket is generated for an account, the new authentication process will verify that the account that requested the TGT is the same account referenced in the service ticket.

After installing Windows updates dated November 9, 2021 or later, PACs will be added to the TGT of all domain accounts, even those that previously chose to decline PACs.

Take action

To protect your environment and avoid outages, please complete the following steps:

  1. Update all devices that host the Active Directory domain controller role by installing the November 9, 2021 security update and the November 14, 2021 out-of-band (OOB) update. Find the OOB KB number for your specific OS below.

    OS

    KB number

    Windows Server 2016

    5008601

    Windows Server 2019

    5008602

    Windows Server 2012 R2

    5008603

    Windows Server 2012

    5008604

    Windows Server 2008 R2 SP1

    5008605

    Windows Server 2008 SP2

    5008606

  2. After installing the November 9, 2021 security update and the November 14, 2021 OOB update on all Active Directory domain controllers for at least 7 days, we strongly suggest that you enable Enforcement mode on all Active Directory domain controllers.

  3. Starting with the July 12, 2022 Enforcement Phase update, Enforcement mode will be enabled on all Windows domain controllers and will be required.

Timing of Windows updates

These Windows Updates will be released in three phases:

  1. Initial deployment – Introduction of the update, as well as the PacRequestorEnforcement registry key

  2. Second deployment – Removal of PacRequestorEnforcement value of 0 (ability to disable the registry key)

  3. Enforcement phase – Enforcement mode is enabled. Removal of PacRequestorEnforcement registry key

November 9, 2021: Initial deployment phase

The initial deployment phase starts with the Windows update released on November 9, 2021. This release:

  • Adds protections against CVE-2021-42287

  • Adds support for the PacRequestorEnforcement registry value, which allows you to transition to the Enforcement phase early

Mitigation consists of the installation of Windows updates on all devices that host the domain controller role and read-only domain controllers (RODCs).

April 12, 2022: Second deployment phase

The second deployment phase starts with the Windows update released on April 12, 2022. This phase removes the PacRequestorEnforcement setting of 0. Setting PacRequestorEnforcement to 0 after this update is installed will have the same effect as setting PacRequestorEnforcement to 1. The domain controllers (DCs) will be in Deployment mode.

Note This phase is not necessary if PacRequestorEnforcement was never set to 0 in your environment. This phase helps ensure that customers that set PacRequestorEnforcement to 0move to setting 1 before the Enforcement phase.

Note This update assumes that all domain controllers are updated with the November 9, 2021 or later Windows update.

July 12, 2022: Enforcement phase

The July 12, 2022 release will transition all Active Directory domain controllers into the Enforcement phase. The Enforcement phase will also remove the PacRequestorEnforcement registry key completely. As a result, Windows domain controllers that have installed the July 12, 2022 update will no longer be compatible with:

  • Domain controllers that did not install the November 9, 2021 or later updates.

  • Domain controllers that installed the November 9, 2021 or later updates but have not yet installed the April 12, 2022 update ANDwho have a PacRequestorEnforcement registry value of 0.

However, Windows domain controllers that have installed the July 12, 2022 update will remain compatible with:

  • Windows domain controllers that have installed the July 12, 2022 or later updates

  • Window domain controllers that have installed the November 9th, 2021 or later updates and have a PacRequestorEnforcement value or either 1 or 2

Registry key information

After installing CVE-2021-42287 protections in Windows updates released between November 9, 2021 and June 14, 2022, the following registry key will be available:

Registry subkey

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc

Value

PacRequestorEnforcement

Data type

REG_DWORD

Data

1: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, no further action is taken. Active Directory domain controllers in this mode are in the Deployment phase.

2: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, the authentication is denied. Active Directory domain controllers in this mode are in the Enforcement phase.

0: Disables the registry key. Not recommended. Active Directory domain controllers in this mode are in the Disabled phase. This value will not exist after the April 12, 2022 or later updates.

Important Setting 0 is not compatible with setting 2. Intermittent failures might occur if both settings are used within a forest. If setting 0 is used, we recommend that you transition setting 0 (Disable) to setting 1 (Deployment) for at least a week before moving to setting 2 (Enforcement mode).

Default

1 (when registry key is not set)

Is a restart required?

No

Auditing Events

The November 9, 2021 Windows update will also add new event logs.

PAC without attributes

The KDC encounters a TGT without the PAC Attribute buffer. It is likely that the other KDC in the logs does not contain the update or is in Disabled mode.

Event Log

System

Event Type

Warning

Event Source

Kdcsvc

Event ID

35

Event Text

The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (“<KDC Name>”) that did not contain a PAC attributes field. 

Ticket without a PAC

The KDC encounters a TGT or other evidence ticket without a PAC. This prevents the KDC from enforcing security checks on the ticket.

Event Log

System

Event Type

Warning during Deployment Phase

Error during Enforcement Phase

Event Source

Kdcsvc

Event ID

36

Event Text

The Key Distribution Center (KDC) encountered a ticket that did not contain a PAC while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. 

Client: <Domain Name>\<User Name>

Ticket for: <Service Name>

Ticket without Requestor

The KDC encounters a TGT or other evidence ticket without the PAC Requestor buffer. It is likely that the KDC that constructed the PAC does not contain the update or is in Disabled mode.

Note See the Known issues section for important information about Event 37.

Event Log

System

Event Type

Warning during Deployment Phase

Error during Enforcement Phase

Event Source

Kdcsvc

Event ID

37

Event Text

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. 

Ticket PAC constructed by: <KDC Name>

 Client: <Domain Name>\<Client Name>

Ticket for: <Service Name>

Requestor Mismatch

The KDC encounters a TGT or other evidence ticket, and the account that requested the TGT or evidence ticket does not match the account that the service ticket is built for.

Event Log

System

Event Type

Error

Event Source

Kdcsvc

Event ID

38

Event Text

The Key Distribution Center (KDC) encountered a ticket that contained inconsistent information about the account that requested the ticket. This could mean that the account has been renamed since the ticket was issued, which may have been part of an attempted exploit. 

Ticket PAC constructed by: <Kdc Name>

Client: <Domain Name>\<User Name>

Ticket for: <Service Name>

Requesting Account SID from Active Directory: <SID>

Requesting Account SID from Ticket: <SID>

Known issues

Symptom

Workaround

After installing Windows updates released November 9, 2021 or later on domain controllers (DCs), some customers might see the new audit Event ID 37 logged after certain password setting or change operations such as:

  • Update or Repair failover cluster's CNO or VCO

  • Reset a user's password from the Active Directory Users and Computers (dsa.msc) console

  • Create a new user from the Active Directory Users and Computers (dsa.msc) console

  • Change password for third-party, domain-joined devices

If you do not see Event ID 37 after installing Windows updates released November 9, 2021 or later for a week and PacRequestorEnforcement is either ‘1’ or ‘2’, then your environment is not affected.

If you set PacRequestorEnforcement = 1, Event ID 37 is logged as a warning, but password change requests will succeed and will not affect users.

If you set PacRequestorEnforcement = 2, password change requests will fail and will cause the operations listed above to also fail.

Microsoft is investigating this issue. In the meantime, temporarily avoid setting PacRequestorEnforcement = 2 on affected environments.

Frequently asked questions

Q1 What happens if I have a mixture of Active Directory domain controllers that are updated and not updated?

A1. A mixture of domain controllers that are updated and not updated but have the default PacRequestorEnforcement registry key value of 1 are compatible with each other. However, Microsoft strongly advises against having domain controllers that are updated and not updated in an environment.

Q2 What happens if I have a mixture of Active Directory domain controllers that have various PacRequestorEnforcement values?

A2. A mixture of domain controllers that have PacRequestorEnforcement values of 0 and 1 are compatible with each other. A mixture of domain controllers that have PacRequestorEnforcement values of 1 and 2 are compatible with each other. A mixture of domain controllers that have PacRequestorEnforcement values of 0 and 2 are not compatible with each other and might cause intermittent failures. Please see the Registry key information section for further details.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×