What is the impact (if any) to Centrify if implementing Microsoft's recommended KRBTGT account password reset script?
Versions of Centrify DirectControl < 2015.1 (5.2.3) on all platforms.
Microsoft has recently modified their position on KRBTGT account passwords and the security implications thereof. Because of this, best practice now dictates periodical resets of KRBTGT account passwords. To this end, Microsoft has provided a script that will help to accomplish this.
Resources (links provided as a courtesy): https://technet.microsoft.com/en-us/library/dn745899.aspx#Sec_KRBTGT http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/
Microsoft's stance was changed on this shortly prior to our Suite 2015 GA release. This prevented us from doing a thorough investigation into the implications of putting this script into your environmental processes.
In preparation to address this for Suite 2015.1, our team investigated factors at play and the specific implications that this may have: - The problem is when attempting to use the (stale) KRBTGT to try and obtain a new service ticket for connections. All session (already issued) tickets are OK. - Windows side is unaffected. The .NET SDK has been updated to automatically re-authenticate. - Unix side has the possibility of being affected. On startup, adclient will have already obtained a KRBTGT and LDAP service ticket to connect/join to AD. The session ticket is good. At half-life, adclient will re-authenticate and obtain a new ticket. The problem will be when adclient must obtain a new service ticket (eg. DC switch on binding refresh or fail-over) it will not be able to, due to the stale KRBTGT. This will cause the agent to drop into Disconnected mode. The same is true for the DirectAudit agent. As long as it remains with its initial collector, it will be fine. The problem occurs when it must switch collectors. It would not be able to and would drop into Disconnected mode.
This concern has been addressed in Suite 2015.1 (5.2.3). Here is the associated portion from the release notes:
===== When the KRBTGT account password is changed in AD, adclient can no longer request service ticket using the current ticket granting ticket (TGT). Previously, adclient has to wait till the TGT has expired before re-acquire a new TGT from KDC (default of TGT lifetime is 10 hours). This release triggers the reacquire of the machine's TGT when there's problem request service ticket using currently cached TGT. (Ref: 78103) =====