Upcoming Windows Server TGT updates may break authentication.

Upcoming Windows Server TGT updates may break authentication.

Summary

Microsoft has recently taken to the Reddit community regarding upcoming changes to Kerberos TGT delegation; these changes may cause service disruption for the unprepared.

The Change

The update itself will cause the default value of EnableTGTDelegation to change from Yes to No and is due to take place during the May/July 2019 patch cycle.

Will I be affected?

Unconstrained delegation across forests is a common way for organisations to manage authentication over multiple forests.

If EnableTGTDelegation is not set explicitly on your domain controllers, this change to the default setting will break any application or service that relies on unconstrained delegation across forests.

Microsoft has provided a PowerShell script to help identify any possibly affected services, please refer to this KB article.

Vulnerability

Microsoft has provided the following reason for why they have decided to make this change:

The current default configuration for this feature is unsafe when incoming trusts are created.
 This is because the configuration lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.

If you would like a more in-depth explanation of the changes or how to prepare, please check out Microsoft’s TechCommunity blog and the relevant patch notes.