Microsoft has rolled out a crucial set of changes in its Privilege Attribute Certificate (PAC) Validation protocol, addressing two significant security vulnerabilities: CVE-2024-26248 and CVE-2024-29056. These updates, released via Windows security patches on April 9, 2024, and scaling enforcement through January and April 2025, mark an important shift in how Kerberos authentication and PAC ticket validations are managed. Let’s break down what this all means for IT professionals, sysadmins, and everyday Windows users.
Here’s a quick look at how it usually works:
Starting with April 2024 updates, you'll see the following logged events:
No server restarts are required for these changes, but testing in a staging environment is recommended.
With Windows 10 reaching the end of support in October 2025 and a continually evolving threat landscape, staying current on Microsoft’s patch policies is the IT equivalent of wearing a seatbelt. So buckle up, plan your updates, and keep your Kerberos ecosystems secure!
For additional technical insights or to share your experiences with these updates, jump into our forum discussions on WindowsForum.com!
Source: Microsoft Support How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 - Microsoft Support
Understanding What Is at Stake: The Kerberos Protocol and PAC Validation
To truly appreciate these updates, it’s essential to understand the core technology involved: the Kerberos authentication protocol and the accompanying Privilege Attribute Certificate (PAC).Kerberos, Demystified
Kerberos has long been a cornerstone of secure authentication in Windows environments. Named after the mythical multi-headed dog guarding the gates of Hades, Kerberos handles authentication requests using cryptographic tickets. Imagine a world where your identification badge doesn’t just get you into the building but also grants role-specific access to various rooms within it. That badge is similar to a service ticket in Kerberos.Here’s a quick look at how it usually works:
- Authentication: A user proves their identity to a Key Distribution Center (KDC) and gets a ticket-granting ticket (TGT).
- Service Access: The TGT is then used to request service tickets for accessing specific applications or systems.
- PACs Embedded: Alongside these tickets, PACs provide privilege details about the user, such as group memberships or special permissions.
What Is PAC Validation?
PAC Validation is essentially a vetting process to confirm the integrity and authenticity of the privileges embedded in Kerberos tickets. The Domain Controller (DC) validates the PAC through cryptographic signature checks.The Vulnerabilities: CVE-2024-26248 and CVE-2024-29056
These two vulnerabilities exploit gaps in how PAC validation is coded and enforced:- CVE-2024-26248: In certain environments, the cryptographic signature validating the PAC can be spoofed or bypassed, leaving a gaping hole for privilege escalation. Essentially, attackers could exploit this to sneak in unauthorized admin-level access.
- CVE-2024-29056: Particularly impactful in cross-forest scenarios, this issue hinges on mismanagement of how validation checks travel across Active Directory (AD) trusts. In a multi-domain environment, malicious actors can bypass critical PAC verification when service tickets need to traverse domain boundaries.
Timeline of the Updates: A Crawl-Walk-Run Deployment Model
Microsoft has opted for a phased approach to implement these security changes, using a gradated progression through Compatibility, Enforcement, and Fully Enforced stages:1. April 9, 2024 – Initial Deployment (Compatibility Mode)
- The initial patch adds improvements to PAC validation to plug these security holes; however, the enforcement is deliberately left in a Compatibility Mode to ensure patch integration doesn’t disrupt unprepared environments. Think of it as a dress rehearsal.
- Audit Logs: This phase generates Kerberos Event IDs (21, 22, 23) to assist admins in identifying non-compliant devices or systems without actually breaking services.
2. January 2025 – Enforced by Default Mode
- By January 2025, updates will shift behavior to enforce the new PAC validation rules by default across Windows environments. Administrators will still have leeway to override the enforcement via registry settings if certain legacy devices need more time for compliance.
3. April 2025 – Full Enforcement
- No wiggle room here. By April 2025, Microsoft will outright remove support for Compatibility Mode. The improved PAC validation will be a requirement, irrespective of your organization's patch status.
How to Stay Ahead: What You Must Do
Getting ahead of these impending changes requires a proactive, structured approach. Here's Microsoft's recommended three-step process, along with my tips for smooth deployment.Step 1: Update
Apply the security updates which rolled out on April 9, 2024, to all devices in your domain. Don’t stop at domain controllers; every Kerberos client in your organization must have these patches installed.- OS Versions Affected: The change encompasses a sweeping set of Windows versions, including Windows Server editions (2012 modern versions) and Windows 10/11 in both Pro and Enterprise flavors.
Why Updating the Whole Fleet Matters:
In mixed environments, older unpatched machines may default to outdated request structures incompatible with these updates, rendering PAC validation ineffective if devices try to interoperate with patched ones.Step 2: Monitor
Enable Audit Kerberos Ticket Logon Events on your domain controllers. Microsoft provides built-in support for tracking compatibility and enforcement through granular event logs that will flag problem devices and domains.Starting with April 2024 updates, you'll see the following logged events:
- Event ID 21 (Informational): Indicates actions like filtered SIDs or removed compound identities.
- Event ID 22 (Error): Highlights scenarios where PAC validation outright failed.
- Event ID 23 (Warning/Error): Signals fallback behaviors or outright denials during cross-domain forwarding.
Step 3: Enable Enforced Mode
Once you’re confident that all devices and domains have adopted the April 2024 patches, manually enable Enforced Mode on your systems by setting the following registry keys:| Registry Subkey | Value Name | Data Type | Data | Default |
|---|---|---|---|---|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters | PacSignatureValidationLevel | REG_DWORD | 3 (Enforce) | 2 |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters | CrossDomainFilteringLevel | REG_DWORD | 4 (Enforce) | 2 |
Potential Issues and Their Quick Fixes
It’s not all sunshine and rainbows; implementing PAC validation might lead to hiccups like:- Cross-forest validation failures: Registry settings offer mitigation levers, but you’ll also want to evaluate your Active Directory’s trust configurations.
- Audit noise: Enabling Enforced Mode prematurely in large organizations may flood your logs with denials, making it harder to sift through critical data.
Final Thoughts: Why This Matters
These updates are more than incremental tweaks—they signify a fundamental shift in how Windows Server environments process and validate authorization data. The foresight into deploying Compatibility Mode, paired with extensive telemetry through auditing, ensures smoother adoption. But putting off these updates isn't just risky—it's reckless.With Windows 10 reaching the end of support in October 2025 and a continually evolving threat landscape, staying current on Microsoft’s patch policies is the IT equivalent of wearing a seatbelt. So buckle up, plan your updates, and keep your Kerberos ecosystems secure!
For additional technical insights or to share your experiences with these updates, jump into our forum discussions on WindowsForum.com!
Source: Microsoft Support How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 - Microsoft Support
