Skip to content

Change in Kerberos of Windows 2012 may cause access denied

10/28/2012

In a meeting with Microsoft PFEs Gilson Banin and Marcelo Ferratti was commented on a change in how Windows 2012 generates a Kerberos Authentication Ticket, called “KDC SID Resource Compression“.

Current Situation

As is already known, an authentication Ticket takes the user’s SID and the groups of which it is part, besides the SID History migration cases before. In some cases, mainly very large domains, the Ticket could burst the default limit of 12 Kb and generate authentication problems. It is worth remembering that for the same reason a user cannot be part of more than 1024 groups.

Today the Ticket (PAC) is composed of complete SIDs: the default values of ID (S-1-5), the domain SID and RID the individual object in the last block:

  • S-1-5-21-3419695430-3854377854-1234
  • S-1-5-21-3419695430-3854377854-1466
  • S-1-5-21-3419695430-3854377854-1675
  • S-1-5-21-4533280865-6432248977-6523
  • S-1-5-21-4533280865-6432248977-6578
Change in Windows 2012

The change in the KDC is to no longer include in the repeating data Ticket, the Ticket generated by a Domain Controller with Windows 2012 gets smaller and solves the problem it is necessary to change the size of the Ticket.

Thus, the same Ticket would be the previous example:

  • S-1-5-21-3419695430-3854377854-1234
  • 1466
  • 1675
  • S-1-5-21-4533280865-6432248977-6523
  • 6578

The problem is that servers prior to Windows 2012 does not “understand” the new Ticket and will only access the ACEs that are complete, so the user could access locations where permission was granted in cases 1 and 4 of the example, but you would not if the permission is one of the other SIDs.

Conclusion

In a field where there are still servers prior to Windows 2012, which includes the Windows 2008 R2, access to the file server, Exchange, and any other which is based on Kerberos will have access denied problems.

Remediation

Create a Dword Registry key DisableResourceGroupsFields in HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters to disable this feature.

 

More Information: http://support.microsoft.com/kb/2774190

Advertisements
5 Comments
  1. Since installing our first 2012 R2 DC we’ve been experiencing problems with our EPiServer CMS, that uses ASP.NET 4.0, the problem has been tracked to the new DC, and the SID Compression, however, changing the registry value has no effect, we’ve had to set LdapSrvPriority and weight so it has the lowest (highest number) priority of all servers (6) and lowest weight (1), so no machines/users will use the new DC for authentication, and that has removed almost all instances of the following error.
    Exception message: Some or all identity references could not be translated.

    But we still get the occasional error, when a logon-request fails to find a server and falls back to the new 2012 R2 DC.

    From what we’ve read, a restart is not required, but we’ve tried it just for good measure. Any ideas if the KDC SID Compression key works differently in Windows 2012 R2 DC’s?

    • Hi Pouria,

      I don’t know problems after change registry entries.
      One possible solution is change weight in DNS registries for Services to force use a Domain Controllers Windows 2008 since you find definitive solution.

      • Hi Marcelo, thanks for the reply.

        So as far as you know, there is no change in the behavior of the SID Compression between Server 2012 and Server 2012 R2?

        I’ve already changed the weight and priority of the DC, but every now and then a user gets redirected to the 2012 R2 DC and gets the compressed SIDs. So for us it seems the DisableResourceGroupsFields key doesn’t actually have any effect.

Trackbacks & Pingbacks

  1. Kerberos: что нового? | Булдаков.ru | Записки сисадмина
  2. Kerberos: что нового? - Блог Инженеров Microsoft TechNet - Site Home - TechNet Blogs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: