Symptoms
Printing and scanning might fail when these devices use smart card (PIV) authentication.
Note Devices that are affected when using smart card (PIV) authentication should work as expected when using username and password authentication.
Cause
On July 13, 2021, Microsoft released hardening changes for CVE-2021-33764 This might cause this issue when you install updates released July 13, 2021 or later versions on a domain controller (DC). The affected devices are smart card authenticating printers, scanners, and multifunction devices that don’t support either Diffie-Hellman (DH) for key-exchange during PKINIT Kerberos authentication or don’t advertise support for des-ede3-cbc ("triple DES”) during the Kerberos AS request.
Per section 3.2.1 of RFC 4556 specification, for this key exchange to work, the client has to both support and notify the key distribution center (KDC) of their support for des-ede3-cbc ("triple DES”). Clients who initiate Kerberos PKINIT with key-exchange in encryption mode but neither support nor tell the KDC that they support des-ede3-cbc ("triple DES”), will be rejected.
For printer and scanner client devices to be compliant, they must either:
-
Use Diffie-Hellman for key-exchange during PKINIT Kerberos authentication (preferred).
-
Or, both support and notify the KDC of their support for des-ede3-cbc ("triple DES”).
Next steps
If you encounter this issue with your printing or scanning devices, verify that you are using the latest firmware and drivers available for your device. If your firmware and drivers are up-to-date and you still encounter this issue, we recommend that you contact the device manufacturer. Ask whether a configuration change is required to bring the device into compliance with the hardening change for CVE-2021-33764 or if a compliant update will be made available.
If there is currently no way to bring your devices into compliance with section 3.2.1 of RFC 4556 specification as required for CVE-2021-33764, a temporary mitigation is now available while you work with your printing or scanning device manufacturer to bring your environment into compliance within the timeline below.
Important You must have your noncompliant devices updated and compliant or replaced by July 12, 2022, when the temporary mitigation will not be usable in security updates.
Important Notice
All temporary mitigation for this scenario will be removed in July 2022 and August 2022, depending on the version of Windows that you are using (see table below). There will be no further fallback option in later updates. All noncompliant devices must be identified using the audit events starting January 2022 and updated or replaced by the mitigation removal starting in late July 2022.
After July 2022, devices which are not compliant with the RFC 4456 specification and CVE-2021-33764 will not be usable with an updated Windows device.
Target Date |
Event |
Applies to |
July 13, 2021 |
Updates released with hardening changes for CVE-2021-33764. All later updates have this hardening change on by default. |
Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 SP1 Windows Server 2008 SP2 |
July 27, 2021 |
Updates released with temporary mitigation to address printing and scanning issues on noncompliant devices. Updates released on this date or later must be installed on you DC and the mitigation must be turned on through registry key using the steps below. |
Windows Server 2019 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 SP1 Windows Server 2008 SP2 |
July 29, 2021 |
Updates released with temporary mitigation to address printing and scanning issues on noncompliant devices. Updates release on this date or later must be installed on you DC and the mitigation must be turned on through registry key using the steps below. |
Windows Server 2016 |
January 25, 2022 |
Updates will log audit events on Active Directory domain controllers that identify printers that are RFC-4456 incompatible printers that fail authentication once DCs install the July 2022/August 2022 or later updates. |
Windows Server 2022 Windows Server 2019 |
February 8, 2022 |
Updates will log audit events on Active Directory domain controllers that identify printers that are RFC-4456 incompatible printers that fail authentication once DCs install the July 2022/August 2022 or later updates. |
Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 SP1 Windows Server 2008 SP2 |
July 21, 2022 |
Optional preview update release to remove temporary mitigation to require complaint printing and scanning devices in your environment. |
Windows Server 2019 |
August 9, 2022 |
Important Security update release to remove temporary mitigation to require complaint printing and scanning devices in your environment. All updates released on this day or later will be unable to use the temporary mitigation. Smartcard-authenticating printers and scanners must be compliant with section 3.2.1 of the RFC 4556 specification required for CVE-2021-33764 after installing these updates or later on Active Directory domain controllers |
Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 SP1 Windows Server 2008 SP2 |
To use the temporary mitigation in your environment, follow these steps on all domain controllers:
-
On the domain controllers, set the temporary mitigation registry value listed below to 1 (enable) by using Registry Editor or the automation tools available in your environment.
Note This step 1 can be done before or after steps 2 and 3.
-
Install an update that allows the temporary mitigation available in updates released July 27, 2021 or later (below are the first updates to allow the temporary mitigation):
-
Restart your domain controller.
Registry value for temporary mitigation:
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.
Registry subkey |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc |
Value |
Allow3DesFallback |
Data type |
DWORD |
Data |
1 – Enable temporary mitigation. 0 – Enable default behavior, requiring your devices into compliance with section 3.2.1 of RFC 4556 specification. |
Restart required? |
No |
The above registry key can be created and the value and dataset using the following command:
-
reg add HKLM\System\CurrentControlSet\Services\Kdc /v Allow3DesFallback /t REG_DWORD /d 1 /f
Auditing Events
The January 25, 2022 and February 8, 2022 Windows update will also add new event IDs to help identify affected devices.
Event Log |
System |
Event Type |
Error |
Event Source |
Kdcsvc |
Event ID |
307 39 (Windows Server 2008 R2 SP1, Windows Server 2008 SP2) |
Event Text |
The Kerberos client did not supply a supported encryption type for use with the PKINIT protocol using encryption mode.
|
Event Log |
System |
Event Type |
Warning |
Event Source |
Kdcsvc |
Event ID |
308 40 (Windows Server 2008 R2 SP1, Windows Server 2008 SP2) |
Event Text |
A nonconforming PKINIT Kerberos client authenticated to this DC. The authentication was allowed because KDCGlobalAllowDesFallBack was set. In the future, these connections will fail authentication. Identify the device and look to upgrade its Kerberos implementation
|
Status
Microsoft has confirmed that this is an issue in the Microsoft products that are listed in the "Applies to" section.