U-Tools: Unique Tools for Windows System Administrators
U-Move Help

KDC Ticket Signatures

CVE-2020-17049 disclosed a security vulnerability in the Kerberos service tickets issued by the Key Distribution Center (KDC) in Active Directory. If the ticket is not digitally signed it is possible for an attacker to tamper with the ticket when used for constrained delegation to another domain controller.

To address the security vulnerability, Microsoft added the mandatory signing of Kerberos service tickets issued by the Key Distribution Center (KDC) in an Active Directory domain controller (DC). The security update signs the Kerberos service tickets with the SHA-2 digital signature algorithm.

SHA-2 signatures for service tickets are enforced on Windows domain controllers after July 13, 2021 (KB4598347).

Important: Microsoft has announced that unsupported domain controllers "will no longer work" with supported domain controllers (KB4598347). Presumably this will happen when Windows Update is applied on or after July 13, 2021 ("mandatory enforcement phase"). It appears that this will adversely affect interoperability with other domain controllers that do not support SHA-2 or do not have the KDC fix applied. At minimum, Kerberos Constrained Delegation (KCD) for service tickets will not work. It is unclear if other network operations such as AD replication will be affected.


U-Move warns about CVE-2020-17049
U-Move version 2.7.4001 or later will warn you if it detects this situation. It will check AD configuration when you clone or upgrade Active Directory, making sure that the old domain controller and the new domain controller have the CVE-2020-17049 update and the SHA-2 update applied consistently to each DC.

To receive the warning, the backup snapshot (.BKF file) must be created by U-Move 2.7.4001 or later.


How to update Active Directory for CVE-2020-17049

Windows Server 2008 R2: Update the servicing stack, and then apply KB5001392.

Windows Server 2008: Apply KB5001332 or KB5001389.

To apply these updates you must have Extended Security Updates from Microsoft with the SHA-2 update installed.


For more information

For more information see Kerberos Constrained Delegation Overview.