Score:1

Windows Admin Center Resource Based delegation stopped working with KRB_AP_ERR_MODIFIED error

id flag

Our WAC installation SSO (via resource based delegation) stopped working last week for unknown reasons and it's driving me mad. The following event is logged on the WAC server when attempting to connect to a managed client (any of them) in the WebUI:

A Kerberos error message was received:
 on logon session 
 Client Time: 
 Server Time: 19:6:29.0000 11/29/2021 Z
 Error Code: 0x29 KRB_AP_ERR_MODIFIED
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm: 
 Client Name: 
 Server Realm: DOMAIN.COM
 Server Name: HTTP/accounting-02-m.domain.com
 Target Name: HTTP/[email protected]
 Error Text: 
 File: onecore\ds\security\protocols\kerberos\client2\kerbtick.cxx
 Line: 128d
 Error Data is in record data.

The corresponding error 0x29 is also logged on the targeted KDC.

Access to the WAC WebUI works fine for users and remote PowerShell to target machines outside WAC work as well for the same users. When access is denied to target machine in WAC and credentials are prompted, manually entering my creds allows access. The WebUI directly on the WAC server allows to use it as intended to access target machines via SSO. This rules out permission problems and seems to point towards a double hop delegation issue.

A capture of network traffic shows the TGS-REQ/REP for myself to access the WAC$ machine and then I see the TGS-REQ for the targeted machine service (ie HTTP/accounting-02-m.domain.com) with KRB-OPTION "constrained-delegation: True", followed by the KRB-ERROR for KRB5KRB_AP_ERR_MODIFIED...

I checked delegation for a sample machine and it looks as expected:

Path Owner                    Access  
---- -----                     ------ 
     BUILTIN\Administrators   DOMAIN\WAC$ Allow

I made sure secure channel is working between server/target and DC (I reset machine password anyways)

PS C:\> Test-ComputerSecureChannel
true

I check for SPN issues:

PS C:\> setspn -L accounting-02-m Registered ServicePrincipalNames for CN=ACCOUNTING-02-M,OU=Workstations,OU=Domain Computers,DC=domain,DC=com:
WSMAN/ACCOUNTING-02-M
WSMAN/ACCOUNTING-02-M.domain.com
TERMSRV/ACCOUNTING-02-M
TERMSRV/ACCOUNTING-02-M.domain.com
RestrictedKrbHost/ACCOUNTING-02-M
HOST/ACCOUNTING-02-M
RestrictedKrbHost/ACCOUNTING-02-M.domain.com
HOST/ACCOUNTING-02-M.domain.com

PS C:\> setspn -Q HTTP/accounting-02-m
Checking domain DC=domain,DC=com

No such SPN found.

I believe SPN mapping should take care of HOST->HTTP equivalence:

host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin

I use klist purge -li 0x3e7 to clear machine tickets prior to any testing.

The WAC server is Win2019, service running as "Network Service", KDCs are Win2019, and clients are a mix of Win10 and Win2012R2/2016/2019. Time delta is max 1s on all machines involved (KDC, Server, Target). We have a single domain forest.

I suspected KB5008380 due to this error logged on the KDC:

During TGS processing, the KDC was unable to verify the signature on the PAC from WAC$. This indicates the PAC was modified.

But couldn't find the registry key anywhere in the domain (nor the update installed on the KDCs).

From my understanding of the Kerberos RFCs, either checksum fails due to altered ticket in transit (unlikely), or service can't decrypt the ticket due to secure channel problem or SPN misconfiguration but all those look correctly configured.

What am I missing here? What is broken?

Swisstone avatar
cn flag
I'd recommend checking if duplicate SPN exists in your domain by running `setspn /x`
id flag
@Swisstone found 0 group of duplicate SPNs.
Score:1
id flag

Ok so turns out KB5007206 is to blame, even tho the initial notes didnt mention the potential issue... im not risking the OOB update so uninstalling KB5007206 on the DCs solved the problem.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.