Hi, We've just started encountering problems at customer sites with Kerberos enabled clients as a result of how Microsoft appears to be approaching CVE-2020-17049 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The details on this CVE are slim on Mitre and there is a small amount of additional information on the microsoft portal. I thought I'd ask the list what their thoughts are on what is being done here. Disabling service ticket and tgt renewability is not great and it obviously breaks long running processes that rely on renewability of these items. I'm sure we could move to an alternate approach where we do not renew these items but rather obtain a new one but the changes are likely non-trivial across many different projects.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049 >> *How does this patch affect third-party Kerberos clients?* >> When the registry key is set to 1, patched domain controllers will issue service tickets and Ticket-Granting Tickets (TGT)s that are not renewable and will refuse to renew existing service tickets and TGTs. Windows clients are not impacted by this since they never renew service tickets or TGTs. Third-party Kerberos clients may fail to renew service tickets or TGTs acquired from unpatched DCs. If all DCs are patched with the registry set to 1, third-party clients will no longer receive renewable tickets. *--Luke Hebert* | cloudera.com <https://www.cloudera.com> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos