After installing the most recent Updates on their Domain Controllers, some readers have reported in the comments that they experienced that the Local Security Authority Subsystem Service (LSASS) process on their Domain Controllers continually increases memory usage making their Domain Controllers become unresponsive and even automatically restart…
The cause
Many Active Directory admins experienced issues with the Kerberos hardening settings to address CVE-2022-37966. However, this issue is contributed to the Kerberos protocol changes addressing CVE-2022-37967, introduced with the November 8, 2022, cumulative updates (2022.B11). These changes are described in KB5020805.
These changes are not applied with the update, but need to be manually enabled. However, the changes will be automatically enabled with the June 2023 updates.
After applying the November 2022 updates to all Domain Controllers, all Domain Controllers will have signatures added to the Kerberos PAC Buffer. It now seems that this added functionality and the automatic enablement of the feature is causing problems in some environments.
The solution
There are two main solutions:
Upgrade Domain Controllers to Windows Server 2022
If you ever wonder on what systems Microsoft testers tests their updates, then this issue provides the answer. On Windows Server 2022, this problem is not caused by the Kerberos protocol changes.
Note:
However, you might experience the same issues on Windows Server 2022-based Domain Controllers with third party software solutions. Use the information in Microsoft’s How to troubleshoot high Lsass.exe CPU utilization on Active Directory Domain Controllers doc to troubleshoot it.
Rollback the KrbtgtFullPacSignature protocol changes
If you are not running Microsoft’s latest and greatest and are experiencing that the LSASS process on your Domain Controllers continually increases memory usage making your Domain Controllers become unresponsive and even automatically restart, then Microsoft advices to rollback the changes that add signatures to the Kerberos PAC buffer.
To do so, use the following line of Windows PowerShell on all Domain Controllers:
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name KrbtgtFullPacSignature -Value 0 -PropertyType DWORD -Force
Note:
The above line of PowerShell removes the Kerberos protocol changes addressing CVE-2022-37967. An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control on the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges.
Note:
For the December 13, 2022 cumulative updates and later updates, Microsoft plans to change the value for the above registry key to 2 on Domain Controllers. When you change the above registry key, you may need to change it again…
Note:
Microsoft intends to remove the ability to disable PAC signature addition with the April 11, 2023 cumulative updates. The above solution will no longer work. It is likely that Microsoft provides a solution for the LSASS memory leakage before this time.
Concluding
Running Microsoft’s latest and greatest as the Windows Server Operating System on the Domain Controllers saved my bacon with the Kerberos protocol changes addressing CVE-2022-37967.
Excellent information as always Sander