ID: 7338 Fixed in:
Issue Date: 2019-01-11 04:19 AEST Owner:  CVS Support
Last Modified:  2019-01-11 04:28 AESTReporter:  Glen Starrett
Current Est.  0.0 hours % Complete:  0.0  
Status:NEW / Severity:normal

Affected:  unspecified
Description:  MS KB4480970 breaks SSPI for local administrator accounts

Actions:    
2019-01-11 04:19 AEST by Glen Starrett - Affects systems with CVS Suite Server on Windows 7 or Win2008R2.

A customer reports that after installing critical security update MS KB4480970,
they can no longer communicate with their CVS Suite server.

MS has identified the issue for users attempting to contact Windows 
KB4480970 release notes.  Their suggestion is to not use local administrator
accounts to access the machine remotely.
https://support.microsoft.com/en-us/help/4480970/windows-7-update-kb4480970

This affects out SSPI protocol, because the CVS Suite client uses the Windows
authentication mechanism to access the CVS Suite server.

Neither pserver nor sserver protocols are affected by this security update.

WORKAROUNDS:
Workarounds have been identified:

1) As recommended by Microsoft, you can use regular user accounts to access the
CVS Suite server remotely with SSPI.  The issue only affects local users that
are in the Administrators group.

Note:  If you need to maintain your user as a CVS Suite Administrator, you can
add the exact username to the "cvsadmin" file in your repository CVSROOT.  The
cvsadmin file is generally only used on UNIX/LINUX systems, but the
functionality is a convenient workaround to this issue on Windows systems.

2) Use the sserver or pserver protocol instead of SSPI for communicating with
CVS Suite Server.
 
2019-01-11 04:20 AEST by Glen Starrett - There is a 3rd workaround that I have tested:


3) (not recommended) Use the workaround documented on ghacks.net setting
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy
to value 1 (reboot required, value is not present by default).

Note:  This is not an official Microsoft site, use at your own risk.
https://www.ghacks.net/2019/01/09/windows-7-and-server-2008-r2-updates-kb4480970-and-kb4480960-causing-network-issues/


2019-01-11 04:22 AEST by Glen Starrett - Error message reported when bug is expressed:

C:\Users\glen>cvs -d :sspi:admin@192.168.1.146:/myrepo ls
cvs [ls aborted]: he handle specified is invalid

2019-01-11 04:23 AEST by Glen Starrett - Created an attachment (id=3309)
Server trace of error happening

Key trace information from server trace:


	10:33:28: S -> Checking protocol sspi
	10:33:28: S -> SSPI:ServerAuthenticate(Negotiate)
AcquireCredentialsHandle
	10:33:28: S -> SSPI:ServerAuthenticate() AcquireCredentialsHandle
result = OK
	10:33:28: S -> SSPI:ServerAuthenticate() AcceptSecurityContext
	10:33:28: S -> SSPI:ServerAuthenticate() AcceptSecurityContext
	10:33:28: S -> SSPI:ServerAuthenticate() (rc<0) [80090301] The handle
specified is invalid

2019-01-11 04:24 AEST by Glen Starrett - Another link to an article discussing this issue:
https://www.theregister.co.uk/2019/01/09/windows_7_network_broken/
 
2019-01-11 04:28 AEST by Glen Starrett - Additional workaround (also not recommended):

4) The customer reports that uninstalling KB4480970 restores functionality.


     Query page