IMPORTANT The date for Enforcement mode as previously noted in this article has changed to March 9, 2021.

Summary

If you use Protected Users and Resource-Based Constrained Delegation (RBCD), a security vulnerability may exist on Active Directory  domain controllers. To learn more about the security vulnerability, see CVE-2020-16996.

Take Action

To protect your environment and prevent outages, you must do the following:

  1. Update all devices that host the Active Directory domain controller role by installing the December 8, 2020 Windows update or a later Windows update. Be aware that installing the Windows update does not fully mitigate the security vulnerability. You must perform Step 2.

  2. Enable Enforcement mode on all Active Directory domain controllers. Starting with the March 9, 2021 update, Enforcement mode can be enabled on all Windows domain controllers.

Timing of updates

These Windows updates will be released in two phases:

  • The initial deployment phase for Windows updates released on or after December 8, 2020.

  • The enforcement phase for Windows updates released on or after March 9, 2021.

December 8, 2020: Initial Deployment Phase

The initial deployment phase starts with the Windows update released on December 8, 2020 and continues with a later Windows update for the Enforcement phase. These and later Windows updates make changes to Kerberos.

This release:

  • Addresses CVE-2020-16996 (disabled by default).

  • Adds support for the NonForwardableDelegation registry value to enable protection on Active Directory domain controller servers. By default, the value does not exist.

Mitigation consists of the installation of the Windows updates on all devices that host the Active Directory domain controller role and read-only domain controllers (RODCs), and then enabling Enforcement mode.

March 9, 2021: Enforcement Phase

The March 9, 2021 release transitions into the enforcement phase. Enforcement phase enforces the changes to address CVE-2020-16996. Active Directory domain controllers will now be in Enforcement mode unless the enforcement mode registry key is set to 1 (Disabled). If the Enforcement mode registry key is set, the setting will be honored. Going to Enforcement mode requires that all Active Directory domain controllers have the December 8, 2020 update or a later update installed.

Installation guidance

Before installing this update

You must have the following required updates installed before you apply this update. If you use Windows Update, these required updates will be offered automatically as needed.

  • You must have the SHA-2 update (KB4474419) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. For more information about SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

  • For Windows Server 2008 R2 SP1, you must have installed the servicing stack update (SSU) (KB4490628) that is dated March 12, 2019. After update KB4490628 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU update, see ADV990001 | Latest Servicing Stack Updates.

  • For Windows Server 2008 SP2, you must have installed the servicing stack update (SSU) (KB4493730) that is dated April 9, 2019. After update KB4493730 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.

  • Customers are required to purchase the Extended Security Update (ESU) for on-premises versions of Windows Server 2008 SP2 or Windows Server 2008 R2 SP1 after extended support ended on January 14, 2020. Customers who have purchased the ESU must follow the procedures in KB4522133 to continue receiving security updates. For more information on ESU and which editions are supported, see KB4497181.

Important You must restart your device after you install these required updates.

Install the update

To resolve the security vulnerability, install the Windows updates and enable Enforcement mode by following these steps.

Warning Intermittent authentication problems may occur if these Windows updates and the registry value are applied inconsistently in one or both of the following scenarios:

  • The December 8, 2020 Windows update is installed inconsistently on the Active Directory domain controllers and the NonForwardableDelegation value is set to 0 inconsistently on those domain controllers.

  • The March 9, 2021 Windows update is installed inconsistently on the Active Directory domain controllers which are implicitly enabled by first installing the December 8, 2020 Windows update on all Windows Server 2008 R2 or earlier Active Directory domain controllers that are located in Caller, Intermediate, or Target domains.

Important Both Windows updates and the registry value must be applied consistently on ALL Active Directory domain controllers in your environment.


Step 1: Install the Windows update

Install the December 8, 2020 Windows update or a later Windows update to all devices that host the Active Directory domain controller role in the forest, including read-only domain controllers.

Windows Server product

KB #

Type of update

Windows Server, version 20H2 (Server Core Installation)

4592438

Security Update

Windows Server, version 2004 (Server Core installation)

4592438

Security Update

Windows Server, version 1909 (Server Core installation)

4592449

Security Update

Windows Server, version 1903 (Server Core installation)

4592449

Security Update

Windows Server 2019 (Server Core installation)

4592440

Security Update

Windows Server 2019

4592440

Security Update

Windows Server 2016 (Server Core installation)

4593226

Security Update

Windows Server 2016

4593226

Security Update

Windows Server 2012 R2 (Server Core installation)

4592484

Monthly Rollup

4592495

Security Only

Windows Server 2012 R2

4592484

Monthly Rollup

4592495

Security Only

Windows Server 2012 (Server Core installation)

4592468

Monthly Rollup

4592497

Security Only

Windows Server 2012

4592468

Monthly Rollup

4592497

Security Only

Windows Server 2008 R2 Service Pack 1

4592471

Monthly Rollup

4592503

Security Only

Windows Server 2008 Service Pack 2

4592498

Monthly Rollup

4592504

Security Only

Step 2: Enable Enforcement mode

After all devices that host the Active Directory domain controller role have been updated, wait at least a full day to allow all outstanding Service for User to Self (S4U2self) Kerberos service tickets to expire. Then, enable full protection by deploying Enforcement mode. To do this, enable the Enforcement mode registry key.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Note This registry value is not created by installing this update. You must add this registry value manually.

Registry subkey

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc

Value

NonForwardableDelegation

Data type

REG_DWORD

Data

1: Disables enforcement mode.  

0: Enables enforcement mode. This is the protected state.

Default

1

Is a Restart required?

No


Notes about the " NonForwardableDelegation" registry value:

  • If the registry value is set, it will take precedence over the Enforcement mode setting included in the March 9, 2021 Windows updates.

    • If the registry value is set to 1 (Disable), forwarding will be allowed on Kerberos service tickets that are marked as forwardable.

    • If the registry value is set to 0 (Enable), forwarding will NOT be allowed on Kerberos service tickets that are marked as forwardable and Enforcement mode is enabled.

  • If your domain includes Windows Server 2008 R2 or earlier Active Directory domain controllers, you do not have to set Enforcement mode because these domain controllers do not support RBCD.

  • Failure to consistently update all Active Directory domain controllers when enabling Enforcement mode will result in intermittent service delegation failures.

  • Before setting Enforcement mode:

    • All Active Directory domain controllers must be updated with the December 8, 2020 Windows update or a later Windows update, and

    • All outstanding S4USelf Kerberos service tickets must have expired by waiting a day after completing the Windows update deployment to all Active Directory domain controllers.

Additional considerations

When this protection if enabled, it unifies the logic for Resource-Based Constrained Delegation (RBCD) with the original constrained delegation. This can cause issues in the two following scenarios:

  • A single service simultaneously uses original Kerberos Constrained Delegation (KCD) without protocol transition to one target while it is using RBCD with protocol transition to another. After this change, the denial of protocol transition will apply to both styles of delegation.

  • RBCD is used in a domain that uses domain controllers that are not updated with CVE-2020-16996 or running older versions of Windows Server (older than Window Server 2012) that do not have an available update for CVE-2020-16996. The Key Distribution Centers (KDCs) that are not updated will not flag S4USelf Kerberos service tickets as okay for delegation and protocol transition will be denied.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×