December 5, 2020

Microsoft releases KB4594442 to fix Kerberos protocol authentication problem

1 min read

Kerberos is a computer communication protocol developed by the Massachusetts Institute of Technology, which can encrypt personal communications to ensure security in a non-secure network environment.

The protocol also has a software of the same name for encrypted communication between the server and the client. Microsoft has broken this encryption protocol in the previous cumulative update.

A similar problem occurred in Windows 10 v1809 a few days ago. Devices that use Kerberos for domain control may not be able to complete the automatic renewal of identity credentials.

Therefore, Microsoft has launched an out-of-band update (KB4594442) to fix this problem. If an enterprise uses this protocol for domain control, it can manually download the update for installation.

This out-of-band update is mainly used to resolve authentication issues related to the PerformTicketSignature registry subkey in CVE-2020-17049.

When the registry key value is set to 1, which is the default value, the service certificate and authorization certificate cannot be renewed for non-Windows Kerberos clients. When the registry key is set to 0, all Service for User (S4U) such as scheduled tasks, clusters, and program services may fail.

If the device update status in the domain controller is different and the key value is set to the default value, the S4UProxy will also fail during the credential reference period of the cross-domain solution.

Therefore, enterprises that use this protocol for domain control should update all devices. After the update, the registry keys can be set to the default for normal use.