Kerberos Registry Key Missing on DC
567 views
Skip to first unread message
Ken Dibble
Sep 28, 2023, 1:06:42 PM9/28/23
to ntsys...@googlegroups.com
I'm doing due diligence on my DC to make sure I'm not going to run into
any issues when October full-enforcement of the kerberos changes takes
place.
According to this document:
https://support.microsoft.com/en-gb/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb
I can enable audit mode for that specific issue as follows:
"After installing the Windows updates that are dated on or after November 8, 2022, the following registry key is available for the Kerberos protocol:
KrbtgtFullPacSignature
This registry key is used to gate the deployment of the Kerberos changes. This registry key is temporary, and will no longer be read after the full Enforcement date of October 10, 2023.
Registry key
HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc
Value
KrbtgtFullPacSignature"
The DC is patched with the June 2023 CU, but not later (yeah yeah I know...)
Probably this is just my usual extreme literalness, but to my mind, the statement "the following registry key is available..." should mean, it's present on the DC. However, it's not.
I suppose that an alternate meaning for that statement is, "the following registry key is available for use, in that it will have an effect on the server, if you add it and configure it as follows ...." Maybe that's all this is--typical poor MS documentation. But before I manually add that key, I'd like to know if it should already be there and because it's not, something else is messed up.
Thanks in advance.
Ken Dibble
www.stic-cil.org
According to this document:
https://support.microsoft.com/en-gb/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb
I can enable audit mode for that specific issue as follows:
"After installing the Windows updates that are dated on or after November 8, 2022, the following registry key is available for the Kerberos protocol:
KrbtgtFullPacSignature
This registry key is used to gate the deployment of the Kerberos changes. This registry key is temporary, and will no longer be read after the full Enforcement date of October 10, 2023.
Registry key
HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc
Value
KrbtgtFullPacSignature"
The DC is patched with the June 2023 CU, but not later (yeah yeah I know...)
Probably this is just my usual extreme literalness, but to my mind, the statement "the following registry key is available..." should mean, it's present on the DC. However, it's not.
I suppose that an alternate meaning for that statement is, "the following registry key is available for use, in that it will have an effect on the server, if you add it and configure it as follows ...." Maybe that's all this is--typical poor MS documentation. But before I manually add that key, I'd like to know if it should already be there and because it's not, something else is messed up.
Thanks in advance.
Ken Dibble
www.stic-cil.org
Ken Dibble
Sep 28, 2023, 1:22:33 PM9/28/23
to ntsys...@googlegroups.com
I should have also said it's a 2012 R2 DC with a 2012 Server domain
functional level.
Ken
functional level.
Ken
Charles F Sullivan
Sep 28, 2023, 5:36:57 PM9/28/23
to ntsys...@googlegroups.com
You do need to add the key/value. Most of the time these just don't exist and need to be created, even though MS doesn't always tell you that.
If I were you I would create it and set it to 2 (audit) for a few days. If there are no bad events change it to 3, while you still have the option of switching back, to see what happens since you are not yet patched with the October CU (too late at that point of course).
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6515b658.050a0220.55646.ecadSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Charlie Sullivan
Principal Windows Systems Administrator
Ken Dibble
Sep 29, 2023, 9:49:14 AM9/29/23
to ntsys...@googlegroups.com
Thank you!
Ken
Ken
At 05:36 PM 9/28/2023, Charles F Sullivan wrote:
You do need to add the key/value. Most of the time these just don't exist and need to be created, even though MS doesn't always tell you that.
If I were you I would create it and set it to 2 (audit) for a few days. If there are no bad events change it to 3, while you still have the option of switching back, to see what happens since you are not yet patched with the October CU (too late at that point of course).
Reply all
Reply to author
Forward
0 new messages