How to reset a Kerberos password and get ahead of coming updates

Do you recall when you last reset your Kerberos password? Hopefully that was not the last time I suggested you change it, back in April of 2021, when I urged you to do a regular reset of the KRBTGT account password. If you’ve followed my advice, you are already one step ahead of the side effects caused by the November updates that introduced Kerberos changes.

While many of you may be waiting to install the “fixed” versions of the updates that deal with the introduced authentication issues, or you may wish to install the out-of-band updates that will fix the side effects, there are more steps to do this patching month and in the months ahead.

If you don’t regularly patch your domain controllers on a monthly basis and want to skip over all of the side effects, the best methodology to ensure that you do not suffer side effects is to install the November 8 updates on your workstations and non-domain controller servers as usual, using your normal installation schedule.

Manually download and install out-of-band updates

Then, for your domain controllers only, you’ll want to manually install the out-of-band updates. Note that these out of band updates are not located on Windows Update or WSUS but must be manually downloaded and installed. While you can import them into WSUS, it may be faster if you have a limited number of domain controllers in your environment to merely script the patch onto these servers and force a reboot. Place the patch on a network share and script the install to those impacted domain controllers and reboot.

A simple command such as wusa [Windows name of file].msu /quiet /norestart will allow you to deploy updates.

The /quiet switch means that the installer will run without creating any output at all and then /norestart switch means not to ask the user to restart the system after the installation is complete. Once the installation is complete, then kick a reboot on your domain controller servers as needed.

Preparing for future vulnerability updates

Now that your domain controllers have been protected for the current Kerberos vulnerabilities, plans for future vulnerability updates and protections will need to be made. The November updates also include additional future hardening. As noted in the blog post by Sander Berkouwer, you’ll want to take proactive action to ensure that you are one step ahead and ready nearly a year in advance of the future hardening.

As noted in the blog, Microsoft is planning future Netlogon and Kerberos Protocol changes. You’ll want to review two KB articles that detail the changes and enforcement that will occur in the future.

There are three KBs that you need to review for future impact to your network:

• KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
• KB5021130: How to manage Netlogon protocol changes related to CVE-2022-38023
• KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966

The first KB, KB5020805, details the first set of enforcement-impacting Kerberos protocol changes. This will be a phased roll out. First included in the November (or later) security updates will be the initial deployment phase. It fixes the identified Kerberos vulnerability but also begins inserting events into the system event log should your network need additional action. Included in the December (or later) updates will changes to the Kerberos protocol to audit Windows devices by moving Windows domain controllers to Audit mode. With this update, all devices will be in Audit mode by default: if the signature is either missing or invalid, authentication is allowed.

Additionally, an audit log will be created. If the signature is missing, raise an event and allow the authentication. If the signature is present, validate it. If the signature is incorrect, raise an event and allow the authentication.

Kerberos hardening updates to come

The April (or later) cumulative updates will begin to harden Kerberos and remove the ability to disable Privilege Attribute Certificate (PAC) signature addition. Then, in the July 2023 or later cumulative updates, the ability to set value 1 for the KrbtgtFullPacSignature subkey will be removed. Finally, nearly a full year later, the full enforcement phase begins. In the October 2023 cumulative updates (or later) full enforcement begins. This final stage removes support for the registry subkey KrbtgtFullPacSignature. It removes support for Audit mode and all service tickets without the new PAC signatures will be denied authentication.

The second KB, KB5021130, details the second series of enforcement of NetLogon changes. As noted, the November (and later) updates began the process of installing the updates and setting the groundwork for future enforcement phases. Then once the April 11, 2023 and/or later cumulative updates are installed in your domain, the next phase begins.

After this update is installed, RequireSeal will be moved to enforced mode unless administrators explicitly configure to be under compatibility mode. Vulnerable connections from all clients including third parties will be denied authentication. At this point, enforcement can be delayed. Then included in the July 11, 2023 and later cumulative updates, the Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal subkey.

The registry keys introduced starting with the November updates include the following:

Registry key  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters

Value RequireSeal

Data type REG_DWORD

Data

0 – Disabled 

1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows, or if they are acting as either domain controllers or Trust accounts.

2 – Enforcement mode. All clients are required to use RPC Seal, unless they are added to the “Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).

Review the event logs after the installation of the November (and later) updates for Event 5838, Event 5839 and Event 5840.

Final Kerberos updates

The next and final part of the hardening of the November and later updates impact Kerberos. The patch KB5021131 it introduces additional hardening. After you have installed the November (or later) updates, first run a command to explicitly look for impacted networks:

Get-ADObject -Filter “msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18”

Look for Event ID 42 and the event text “The Kerberos Key Distribution Center lacks strong keys for account: [account name]. You must update the password of this account to prevent use of insecure cryptography. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.”

Note that if you already rotated your Kerberos passwords as I recommended earlier, you probably won’t see this error.

Accounts that are flagged for explicit RC4 usage may be vulnerable. In addition, environments that do not have AES session keys within krbgt may be vulnerable.

Clearly Microsoft knows these updates will be impactful to your network and is slowly rolling out the changes. Take the time to review your network for impact and take action now.