This article is contributed. See the original author and article here.
After the Windows updates from November 2020, you might be facing some issues running Bulk Inserts or working with linked servers, if you keep an open session for more than 10 hours.
Some recent changes were done on the Windows side when it comes to the way S4U (Unconstrained delegation) Kerberos tickets work.
This is a long existing SQL issue where it expects to be able to have long lived delegatable sessions without the user ever re-authenticating. This issue is normally hidden by the fact that you can renew the TGT for up to 7 days by default. However, a recent patch for PerformTicketSignatures was released and the default setting does not issue renewable tickets.
Managing deployment of Kerberos S4U changes for CVE-2020-17049 (microsoft.com)
- KB4586830 10th November
November 10, 2020—KB4586830 (OS Build 14393.4046) (microsoft.com)
Introduced the issue with the ticket renewing process.
After installing this update on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication and ticket renewal issues. This is caused by an issue in how CVE-2020-17049 was addressed in these updates. |
- KB4594441 19th November
November 19, 2020—KB4594441 (OS Build 14393.4048) Out-of-band (microsoft.com)
Enforces the use of PerformTicketSignature to 2
Solution:
To solve this problem, there are two possibilities:
1. Install in all Domain Controllers the December 2020 update and Change the PerformTicketSignature key to 2 on all Domain Controllers
December 8, 2020—KB4593226 (OS Build 14393.4104) (microsoft.com)
Managing deployment of Kerberos S4U changes for CVE-2020-17049 (microsoft.com)
2. Change the authentication to Constrained delegation (S4UProxy)
The issue only happens with unconstrained delegation (S4U). So, the same problem will not happen in a constrained delegation environment.
Unconstrained delegation is considered vulnerable and a configuration with constrained delegation or resource based constrained delegation would be the most secure approach.
Other Windows Server Versions:
The same issue can be found in all Windows Security Patches after November 2020
Windows Server 2012 R2 – KB4586845
Windows Server 2012 – KB4586834
Credits:
Thank you to @dineu , Support Escalation Engineer from SQL Server Networking Team, for your help writing this post.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments