Summary
Windows updates for CVE-2021-42282 released on November 9, 2021 add the following verifications for attributes in Active Directory (AD):
-
User principal name (UPN) and service principal name (SPN) uniqueness (new to Windows 8, Windows Server 2012, and earlier releases)
-
SPN alias uniqueness (new to all Windows versions)
User principal name and service principal name uniqueness
This feature guarantees that SPNs are unique in a forest, which prevents computers and domain controllers from adding duplicate SPNs. This functionality already exists in Windows 8.1 and above and is described in SPN and UPN uniqueness.
SPN alias uniqueness
An existing AD attribute defines aliases for many common service classes to the equivalent HOST SPN for services such as CIFS, HTTP, and RPC. The AD attribute is defined as a list in the configuration naming context of an Active Directory forest. A user who does not have administrator rights might not reassign an SPN that is implicitly assigned to a different account using this aliasing.
Note This verification is implemented in addition to the verification for UPN and SPN uniqueness.
SPN alias uniqueness verifications are on by default. You can turn these verifications off by modifying the 21st character of the dSHeuristics attribute, which is interpreted as a series of characters. The dSHeuristics attribute does not exist by default, but you can add it under the distinguished name “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=support,DC=local”. Possible settings and their corresponding bit values are as follows:
-
Value 0 – means Enforce All (no bits set 000) Default
-
Value 1 – means Disable UPN Uniqueness verification (bit 0 set - 001)
-
Value 2 – means Disable SPN Uniqueness verification (bit 1 set - 010)
-
Value 3 – means Disable UPN Uniqueness AND SPN Uniqueness verification. (bit 0 and 1 set - 011)
-
Value 4 – means Disable SPN Alias Uniqueness verification (bit 2 set - 100)
-
Value 5 – means Disable SPN Alias AND UPN Uniqueness verification (bit 2 and bit 0 set - 101)
-
Value 6 - means Disable SPN Alias AND SPN Uniqueness (bit 2 and bit 1 set - 110)
-
Value 7 – means Disable All (all bits set 111)
Example: If you have no other dSHeuristics settings enabled in your forest and you only want to disable SPN alias uniqueness verification, the dSHeuristics attribute should be set to: “000000000100000000024”
The characters that are set in this case are:
10th char: Must be set to 1 if the dSHeuristics attribute is at least 10 characters
20th char: Must be set to 2 if the dSHeuristics attribute is at least 20 characters
21st char: Must be set to a value in the list above; value 4 means Disable SPN Alias Uniqueness.
Note If the dSHeuristics attribute is already set, make sure to merge the existing settings into your new dSHeuristics attribute string and confirm that the 10th, 20th and 21st characters are set as above. The other characters that are already set should remain unchanged.
For more information about configuring the dSHeuristics characters please refer to the following documents:
More information
What is a service principal name?
A service principal name (SPN) is a unique identifier for a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign in account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. Please see Service Principal Names for more details.
What is a user principal name?
A user principal name (UPN) is an email-style sign in name for a user based on the internet standard RFC 822. For more details, please see User-Principal-Name attribute.
Frequently asked questions
Q1 What if I need to register a duplicate HOST alias SPN for account?
A1 Register the required SPN as administrator.
Q2 What happens if I turn off SPN or UPN uniqueness?
A2 We do not recommend this. If SPNs are not unique, then it's as though any SPNs that are duplicates aren’t registered at all. Registering a duplicate SPN has the same effect as unregistering the original one. If UPNs are not unique, user lookups using duplicate UPNs will fail.
Q3 What happens if I turn off SPN alias uniqueness?
A3 We do not recommend this. A non-administrator might change the resolution of an existing alias SPN from its current resolution to a computer under the non-administrator’s control. That computer might act as that service because the server authentication that Kerberos provides would accept the new account as the correct host for the service instead of the original account with the HOST SPN.
Q4 How can a domain administrator find duplicate SPNs or UPNs already present on the network?
A4 This is not practical without writing extensive scripting to enumerate all SPNs and UPNs from the domain and correlate to find duplicates.
Q5 What happens if I have a mixture of domain controllers that are updated and not updated or mismatched settings between domain controllers?
A5 Replication will not be blocked because of duplicate UPNs or SPNs. Therefore, duplicates can replicate to other domain controllers if the duplicate UPNs or SPNs are created on a domain controller that does not have the update.
