HagueSt Blog

A personal blog to compile notes, thoughts, and many mistakes of a SysAdmin's journey.

ADFS & CVE-2020-17049

2020-11-20 2 min read Info

Microsoft recently performed a patch for Kerberos and the KDC service on domain controllers. This would patch a heavy vulnerability in the Kerberos signing structure. However, this presented a problem with our domain joined Qumulo storage appliance, and disallowed any users from authenticating to SMB shares. In order to alleviate ourselves of the issue, we followed the instructions to disable the following registry key within HKLM\SYSTEM\CurrentControlSet\Services\Kdc\ by adding PerformTicketSignature set to DWORD 0.

Upon making this change, settings worked back to normal and we followed with the week as normal. However, we didn’t know what else we broke…

Today, we had our help desk call and mention that our self service ticket portal, which leverages ADFS for authentication, no longer lets people login. The ADFS logon page would kick users back to the logon page with no error message.

Checking within the Applications and Services Logs\ADFS of the Event Viewer, the event logs displayed the following error upon every login:

The digitally signed Privilege Attribute Certificate (PAC) that 
contains the authorization information for client USERACCOUNT 
in realm <NETBIOSDOMAIN> could not be validated.
 
This error is usually caused by domain trust failures; Contact your system administrator.

Enabling PerformTicketSignature in HKLM\SYSTEM\CurrentControlSet\Services\Kdc\ allowed ADFS to properly sign tickets again and allow users to login once again.

Moral of the story, pay attention to Microsoft’s Patch Tuesday notes and stay ever vigilant.

More information on the patch can be seen here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

adfs windows vulnerability cve
© 2021 by Cliff Hults
Bilberry Hugo Theme