-
Title
Error message during join "KRB5KDC_ERR_TGT_REVOKED (-1765328364): TGT has been revoked" -
Description
Error message during join "KRB5KDC_ERR_TGT_REVOKED (-1765328364): TGT has been revoked"
The following error message is shown during a domain join attempt:
-----------------------
ERROR: Could not join to the domain
VAS_ERR_KRB5: Kerberos error
Could not set password
Caused by:
KRB5KDC_ERR_TGT_REVOKED (-1765328364): TGT has been revoked
-----------------------
Note that both of the above messages in bold should appear if you are experiencing this specific issue.SCENARIO 1
The introduction of the patch for CVE-2021-42287 and the manual change of the registry setting of PacRequestorEnforcement to 2 causes password changes to fail when conducted by another user.
During the join, the account used to perform the join resets the password to the computer object to something secret and stores it in the keytab. This is the step that fails.
SCENARIO 2The 'vastool passwd' command, when used to reset a different account password would also fail under similar conditions.
-
Cause
Incompatibility with MS Patch for CVE-2021-42287 and the setting of the registry value for PacRequestorEnforcement to 2.
At this time the registry value is a manual change.
-
Resolution
RESOLUTION:
This has been resolved in Safeguard Authentication Services 5.0.5 available here.
This version requires a new license. Details are available here.
This has been resolved in Safeguard Authentication Services 4.2.5 available here.
This version is in limited support. Product Life Cycle.
Check if the following Microsoft patch has been installed:
https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
The registry key on the Domain Controllers is:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\PacRequestorEnforcement
If the PacRequestorEnforcement has a value of 2 (Enforcement mode) then this can cause the join to fail with the TGT revoked error message.
STATUS:This issue is fixed in version 5.0.5. The current ETA for this release is February 2022.
WORKAROUND:
Set the PacRequestorEnforcement registry option to either 0 or 1.Note that this change would only need to be temporary in order to complete the join. After the join is complete it can be set back.
-
Change Request
297741 -
Additional Information
Note that this registry entry is only affecting domain joins, servers already joined do not appear to be affected.The issue will also affect user password changes if performed by an administrator using the 'vastool passwd' command.However users can use the 'vastool passwd' command to change their own password without issues.