Windows Admin Center Resource Based delegation stopped working with KRB_AP_ERR_MODIFIED error

Our WAC installation SSO (via resource based delegation) stopped working last week for unknown reasons and it's driving me mad. The following event is logged on the WAC server when attempting to connect to a managed client (any of them) in the WebUI:

A Kerberos error message was received:
 on logon session 
 Client Time: 
 Server Time: 19:6:29.0000 11/29/2021 Z
 Error Code: 0x29 KRB_AP_ERR_MODIFIED
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm: 
 Client Name: 
 Server Realm: DOMAIN.COM
 Server Name: HTTP/accounting-02-m.domain.com
 Target Name: HTTP/[email protected]
 Error Text: 
 File: onecore\ds\security\protocols\kerberos\client2\kerbtick.cxx
 Line: 128d
 Error Data is in record data.

The corresponding error 0x29 is also logged on the targeted KDC.

Access to the WAC WebUI works fine for users and remote PowerShell to target machines outside WAC work as well for the same users. When access is denied to target machine in WAC and credentials are prompted, manually entering my creds allows access. The WebUI directly on the WAC server allows to use it as intended to access target machines via SSO. This rules out permission problems and seems to point towards a double hop delegation issue.

A capture of network traffic shows the TGS-REQ/REP for myself to access the WAC$ machine and then I see the TGS-REQ for the targeted machine service (ie HTTP/accounting-02-m.domain.com) with KRB-OPTION "constrained-delegation: True", followed by the KRB-ERROR for KRB5KRB_AP_ERR_MODIFIED...

I checked delegation for a sample machine and it looks as expected:

Path Owner                    Access  
---- -----                     ------ 
     BUILTIN\Administrators   DOMAIN\WAC$ Allow

I made sure secure channel is working between server/target and DC (I reset machine password anyways)

PS C:\> Test-ComputerSecureChannel
true

I check for SPN issues:

PS C:\> setspn -L accounting-02-m Registered ServicePrincipalNames for CN=ACCOUNTING-02-M,OU=Workstations,OU=Domain Computers,DC=domain,DC=com:
WSMAN/ACCOUNTING-02-M
WSMAN/ACCOUNTING-02-M.domain.com
TERMSRV/ACCOUNTING-02-M
TERMSRV/ACCOUNTING-02-M.domain.com
RestrictedKrbHost/ACCOUNTING-02-M
HOST/ACCOUNTING-02-M
RestrictedKrbHost/ACCOUNTING-02-M.domain.com
HOST/ACCOUNTING-02-M.domain.com

PS C:\> setspn -Q HTTP/accounting-02-m
Checking domain DC=domain,DC=com

No such SPN found.

I believe SPN mapping should take care of HOST->HTTP equivalence:

host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin

I use klist purge -li 0x3e7 to clear machine tickets prior to any testing.

The WAC server is Win2019, service running as "Network Service", KDCs are Win2019, and clients are a mix of Win10 and Win2012R2/2016/2019. Time delta is max 1s on all machines involved (KDC, Server, Target). We have a single domain forest.

I suspected KB5008380 due to this error logged on the KDC:

During TGS processing, the KDC was unable to verify the signature on the PAC from WAC$. This indicates the PAC was modified.

But couldn't find the registry key anywhere in the domain (nor the update installed on the KDCs).

From my understanding of the Kerberos RFCs, either checksum fails due to altered ticket in transit (unlikely), or service can't decrypt the ticket due to secure channel problem or SPN misconfiguration but all those look correctly configured.

What am I missing here? What is broken?


Ok so turns out KB5007206 is to blame, even tho the initial notes didnt mention the potential issue... im not risking the OOB update so uninstalling KB5007206 on the DCs solved the problem.