Microsoft engineers are working on fixing bugs that many have encountered after installing the November updates, namely the patch for the CVE-2020-17049 vulnerability. The enterprise domain controllers then have problems with Kerberos authentication. Let me remind you that Kerberos long ago replaced the NTLM protocol and became the default authentication protocol for devices connected to the domain in all versions of Windows above Windows 2000.
Vulnerability CVE-2020-17049, revised for November's Patch Tuesday, can be used remotely and is tied to the Kerberos Constrained Delegation (KCD).
Now Microsoft reportsthat after installing update KB4586781 on domain controllers (DCs) and read-only domain controllers (RODCs) Kerberos authentication issues may occur. This is due to the way in which the CVE-2020-17049 vulnerability was patched.
Experts explain that PerformTicketSignature has three parameter values in the registry (0, 1, and 2), and administrators can encounter different bugs when working with each of them. For example, setting the value to "0" can cause authentication problems when using S4U scripts (scheduled tasks, clustering, and so on). If the value is set to "1" (the default), it may cause non-Windows clients to authenticate to Windows domains using Kerberos, and authentication problems may arise.
According to Microsoft, the bugs only affect Windows Server, devices with Windows 10 onboard, and vulnerable applications in corporate environments. So far, the list of affected platforms is as follows:
Microsoft experts have assured that they are already working on fixing bugs and promised to provide new information as soon as they have additional information.