FAS: Information about Microsoft KB KB5014754/CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923
Article ID: CTX479236
Updated On:
Description
• SSO will fail while trying to launch published resources and users will get the error that "The username or password is incorrect". They will be able to manually authenticate after clicking OK on VDIs/published desktops but there might be issues with published applications.
• FAS will be able to get a user smart card logon certificate from the CA, VDA will be able to get it from the FAS server but the VDA will not be able to get the certificate validated by a domain controller.
• If you enable kerberos logging (steps to enable:https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging) on the VDA to which SSO failed, you will be able to see an error event with id 3 indicating failed kerberos smart card authentication with error code 0x42 (unknown error) [This could be a different error as well but please ignore any 0x19 KDC_ERR_PREAUTH_REQUIRED errors as those can be seen by default when any client makes the first Kerberos TGT request without putting the preauth in it]
Environment
Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Resolution
Before reading this article, please note the following:
GENERAL INFORMATION REGARDING THE PATCH AND VULNERABILITY THAT IT ADDRESSES:-
CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request.
To address this vulnerability, you might have taken the following steps:-
Update some or all servers with the patch that run Active Directory Certificate Services and Windows domain controllers that service certificate-based authentication with the May 10, 2022 update. The May 10, 2022 update will provide audit events that identify certificates that are not compatible with Full Enforcement mode (Compatibility Mode).
By November 14, 2023, or later, all devices will be updated to Full Enforcement mode. In this mode, if a certificate fails the strong (secure) mapping criteria, authentication will be denied. Enforcement can be set using the registry on DOMAIN CONTROLLERS before it is set by default. Following are the required registry values for the modes:-
Note that the dates for switching to enforcement mode by default can be changed anytime by Microsoft and the Microsoft KB is to be referred for any such updates.
THE FOLLOWING INFORMATION IS DIVIDED INTO TWO SECTIONS DEPENDING ON WHETHER YOU ARE RUNNING IN ENFORCEMENT MODE OR COMPATIBILITY MODE, WHICH IS CURRENTLY THE MODE BY DEFAULT ON YOUR DOMAIN CONTROLLERS UNLESS MANUALLY CHANGED OR CHANGED BY DEFAULT TO ENFORCEMENT MODE BY MICROSOFT:-
COMPATIBILITY MODE:-
• The certificates are either required to be mapped (secure mapping) to a user in Active Directory using the altSecurityIdentities attribute (Refer the MS KB for steps) of the users Object or the certificate must have the new SID extension added to it (any patched CA should include this in certificates that it would issue after the patch is installed) and it has to match the SID of the user.
• If you go with secure mapping, please note that Citrix Smart Card logon certificates by default have a validity of 7 days and you would have to keep changing the mapping with the latest certificate after 7 days (The validity can be increased by tweaking the Citrix Smart Card logon template)
• IF YOU FAIL TO MEET ANY OF THE ABOVE REQUIREMENTS (For example if you patch your DCs but not your CA and not have the secure mapping done), authentication will still succeed and a WARNING event with ID 39 will be logged on the Domain Controller validating the certificate.
ENFORCEMENT MODE:-
• Has the same requirements as in compatibility mode but if those requirements are not met, authentication will fail and an ERROR event with ID 39 will be logged on the Domain Controller validating the certificate.
CONTENT OF THE EVENT:-
• SSO will fail while trying to launch published resources and users will get the error that "The username or password is incorrect". They will be able to manually authenticate after clicking OK on VDIs/published desktops but probably not on published applications.
• FAS will be able to get a user smart card logon certificate from the CA, VDA will be able to get it from the FAS server but the VDA will not be able to get the certificate validated by a domain controller.
• If you enable kerberos logging (steps to enable:https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging) on the VDA to which SSO failed, you will be able to see the following event in the system events:-
TO FIX THIS:-
• Make sure you have the patch installed on both, the Domain Controllers and all the issuing CA(s).
WORKAROUNDS:-
• If your Domain controllers are patched but your CAs are not, do not put your domain controllers in enforcement mode
• If you are running in enforcement mode, do a secure mapping of the certificate using the issuer and serial number to the altSecurityIdentities attribute of the user object in AD by referring to the Certificate Mappings section in the MS KB.
ADDITIONAL INFORMATION:-
• There could be other scenarios for failed authentication where the certificate predates the user account creation in AD or when the SID included in the new SID extension does not match the actual user. The event IDs would be 40 and 41 for these cases respectively. Refer to the Microsoft KB for more information on this.
- Most of the information in this article was either directly copied from the Microsoft article https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_additionalresources or was written referring to the information in it.
- Citrix does not take any responsibility if the registry changes mentioned in this article affect your environment in an unusual way
- If you are running into issues after installing the specified KB (KB5014754) or any version superseding this KB, they cannot be resolved from FAS or Citrix level, changes are required to be made on your CA servers or Domain Controllers
- In this KB article, we mainly focus on and explain the impact of the Certificate-based authentication changes on Windows domain controllers as described in Microsoft KB5014754. However, scenarios involving Kerberos authentication using certificates are not limited to FAS environments and also include general Smart Card scenarios.
GENERAL INFORMATION REGARDING THE PATCH AND VULNERABILITY THAT IT ADDRESSES:-
CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request.
To address this vulnerability, you might have taken the following steps:-
Update some or all servers with the patch that run Active Directory Certificate Services and Windows domain controllers that service certificate-based authentication with the May 10, 2022 update. The May 10, 2022 update will provide audit events that identify certificates that are not compatible with Full Enforcement mode (Compatibility Mode).
By November 14, 2023, or later, all devices will be updated to Full Enforcement mode. In this mode, if a certificate fails the strong (secure) mapping criteria, authentication will be denied. Enforcement can be set using the registry on DOMAIN CONTROLLERS before it is set by default. Following are the required registry values for the modes:-
| Registry Subkey | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc |
| Value | StrongCertificateBindingEnforcement |
| Data Type | REG_DWORD |
| Data | 1 – Checks if there is a strong certificate mapping. If yes, authentication is allowed. Otherwise, the KDC will check if the certificate has the new SID extension and validate it. If this extension is not present, authentication is allowed if the user account predates the certificate. 2 – Checks if there’s a strong certificate mapping. If yes, authentication is allowed. Otherwise, the KDC will check if the certificate has the new SID extension and validate it. If this extension is not present, authentication is denied. 0 – Disables strong certificate mapping check. Not recommended because this will disable all security enhancements. If you set this to 0, you must also set CertificateMappingMethods to 0x1F as described in the Schannel registry key section below for computer certificate-based authentication to succeed.. |
| Restart Required? | No |
Note that the dates for switching to enforcement mode by default can be changed anytime by Microsoft and the Microsoft KB is to be referred for any such updates.
THE FOLLOWING INFORMATION IS DIVIDED INTO TWO SECTIONS DEPENDING ON WHETHER YOU ARE RUNNING IN ENFORCEMENT MODE OR COMPATIBILITY MODE, WHICH IS CURRENTLY THE MODE BY DEFAULT ON YOUR DOMAIN CONTROLLERS UNLESS MANUALLY CHANGED OR CHANGED BY DEFAULT TO ENFORCEMENT MODE BY MICROSOFT:-
COMPATIBILITY MODE:-
• The certificates are either required to be mapped (secure mapping) to a user in Active Directory using the altSecurityIdentities attribute (Refer the MS KB for steps) of the users Object or the certificate must have the new SID extension added to it (any patched CA should include this in certificates that it would issue after the patch is installed) and it has to match the SID of the user.
• If you go with secure mapping, please note that Citrix Smart Card logon certificates by default have a validity of 7 days and you would have to keep changing the mapping with the latest certificate after 7 days (The validity can be increased by tweaking the Citrix Smart Card logon template)
• IF YOU FAIL TO MEET ANY OF THE ABOVE REQUIREMENTS (For example if you patch your DCs but not your CA and not have the secure mapping done), authentication will still succeed and a WARNING event with ID 39 will be logged on the Domain Controller validating the certificate.
ENFORCEMENT MODE:-
• Has the same requirements as in compatibility mode but if those requirements are not met, authentication will fail and an ERROR event with ID 39 will be logged on the Domain Controller validating the certificate.
CONTENT OF THE EVENT:-
| Event Log | System |
| Event Type | Warning if the KDC is in Compatibility mode Error if the KDC is in Enforcement mode |
| Event Source | Kdcsvc |
| Event ID | 39 41 (For Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) |
| Event Text | The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user through explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: <principal name> Certificate Subject: <Subject name in Certificate> Certificate Issuer: <Issuer Fully Qualified Domain Name (FQDN)> Certificate Serial Number: <Serial Number of Certificate> Certificate Thumbprint: <Thumbprint of Certificate> |
• SSO will fail while trying to launch published resources and users will get the error that "The username or password is incorrect". They will be able to manually authenticate after clicking OK on VDIs/published desktops but probably not on published applications.
• FAS will be able to get a user smart card logon certificate from the CA, VDA will be able to get it from the FAS server but the VDA will not be able to get the certificate validated by a domain controller.
• If you enable kerberos logging (steps to enable:https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging) on the VDA to which SSO failed, you will be able to see the following event in the system events:-
TO FIX THIS:-
• Make sure you have the patch installed on both, the Domain Controllers and all the issuing CA(s).
WORKAROUNDS:-
• If your Domain controllers are patched but your CAs are not, do not put your domain controllers in enforcement mode
• If you are running in enforcement mode, do a secure mapping of the certificate using the issuer and serial number to the altSecurityIdentities attribute of the user object in AD by referring to the Certificate Mappings section in the MS KB.
ADDITIONAL INFORMATION:-
• There could be other scenarios for failed authentication where the certificate predates the user account creation in AD or when the SID included in the new SID extension does not match the actual user. The event IDs would be 40 and 41 for these cases respectively. Refer to the Microsoft KB for more information on this.
Problem Cause
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_additionalresourcesIssue/Introduction
This article is for customers who need to know the potential impact on FAS SSO/Smart Card Logons after installing the MS KB KB5014754 or above on the CA servers or Domain Controllers.
Additional Information
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_additionalresources
Was this article helpful?
Yes
No
Powered by
