A November patch introduces new conflicts in Active Directory

Posted on Wednesday, January 12, 2022 in System administration

A November patch introduces new conflicts in Active Directory

In a project for a client that I was working on last month, we saw that when trying to create new users in Active Directory we got the following error:

ldap_add: Constraint violation (19)
        additional info: 000021C7: AtrErr: DSID-03200DF3, #1:
        0: 000021C7: DSID-03200DF3, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 90303 (servicePrincipalName)

An apparently normal error when a user with that principal already exists. But this was not the case, as confirmed by an LDAP search.

So I tried to do the same operation in my own test environment, totally different from the client’s environment and with a different Active Directory server.
The result is the same: CONSTRAINT_ATT_TYPE.

After a day and a half of trying everything possible with no progress, we started to see other customers who had the same problem. Too much coincidence.

It turned out all this was caused by change KB5008382 that Microsoft introduced to Active Directory in November.

This change introduces new restrictions in Active Directory when creating new users that effectively represent a change in behaviour in Active Directory affecting many products that use SPNEGO.

For such a relevant change, it is difficult to understand that there has been so little communication. Considering that it is a change to correct a security flaw, they may not have wanted to give too many details in advance so it couldn’t be exploited by attackers, but once the change was published, they could have given it more publicity. There is not even public information about what the security flaw that this change fixes consists of (although speculation can be made, as will be seen later). Security through obscurity?

In the following article I explain the background of the problem with the possible solutions, with help from Cloudera and Bluemetrix on the research:

Constraint violation in Active Directory principal that doesn't exist