After the Windows updates from November 2020, you might be facing some issues running Bulk Inserts or working with linked servers, if you keep an open session for more than 10 hours.
Some recent changes were done on the Windows side when it comes to the way S4U (Unconstrained delegation) Kerberos tickets work.
This is a long existing SQL issue where it expects to be able to have long lived delegatable sessions without the user ever re-authenticating. This issue is normally hidden by the fact that you can renew the TGT for up to 7 days by default. However, a recent patch for PerformTicketSignatures was released and the default setting does not issue renewable tickets.
After installing this update on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication and ticket renewal issues. This is caused by an issue in how CVE-2020-17049 was addressed in these updates.
To solve this problem, there are two possibilities:
1. Install in all Domain Controllers the December 2020 update and Change the PerformTicketSignature key to 2 on all Domain Controllers
December 8, 2020—KB4593226 (OS Build 14393.4104) (microsoft.com)
Managing deployment of Kerberos S4U changes for CVE-2020-17049 (microsoft.com)
2. Change the authentication to Constrained delegation (S4UProxy)
The issue only happens with unconstrained delegation (S4U). So, the same problem will not happen in a constrained delegation environment.
Unconstrained delegation is considered vulnerable and a configuration with constrained delegation or resource based constrained delegation would be the most secure approach.
Other Windows Server Versions:
The same issue can be found in all Windows Security Patches after November 2020
Windows Server 2012 R2 - KB4586845
Windows Server 2012 - KB4586834
Thank you to @dineu , Support Escalation Engineer from SQL Server Networking Team, for your help writing this post.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.