PacRequestorEnforcement Enforcement date

Hi everyone

I wanted to share that soon enformement of the PAC inside a KRB ticket will be active. (22 October 2022)

If in your enviromment you still see such error;

The KDC encounters a TGT or other evidence ticket without a PAC. This prevents the KDC from enforcing security checks on the ticket.

That can have an impact if you have older domain controler, like a 2008R2 without the extended support option, as such the fix is not available for them.

A registry key exist, but after the 22 October 2022 it will no longer be checked;

To quote the registry key information;

Registry subkeyHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc
ValuePacRequestorEnforcement
Data typeREG_DWORD
Data1: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, no further action is taken. Active Directory domain controllers in this mode are in the Deployment phase.2: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, the authentication is denied. Active Directory domain controllers in this mode are in the Enforcement phase.0: Disables the registry key. Not recommended. Active Directory domain controllers in this mode are in the Disabled phase. This value will not exist after the July 12, 2022 or later updates.Important Setting 0 is not compatible with setting 2. Intermittent failures might occur if both settings are used within a forest. If setting 0 is used, we recommend that you transition setting 0 (Disable) to setting 1 (Deployment) for at least a week before moving to setting 2 (Enforcement mode).
Default1 (when registry key is not set)
Is a restart required?No

This come from KB5008380—Authentication updates (CVE-2021-42287) patch.

I suggest to quickly remove those older DC if you can, else just make sure you are updated.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s