Whoever coined the term PrintNightmare must have been prescient, as the exploit has uncovered a Pandora’s box of issues with Microsoft’s printing stack, with the very latest being caused by Microsoft’s fix for the flaw.
Microsoft has posted a new Known Issue for their July 2021 Windows 10 Cumulative Update, warning companies that printing with smartcard-based authentication may stop working after they patch their print servers.
After installing updates released July 13, 2021 on domain controllers (DCs) in your environment, printers, scanners, and multifunction devices which are not compliant with section 3.2.1 of RFC 4556 spec, might fail to print when using smart-card (PIV) authentication.
The issue appears to affect all supported versions of Windows and Windows Server.
Microsoft explains the problem affects smart card authenticating printers, scanners, and multifunction devices that do not support DH or advertise support for des-ede3-cbc (“triple DES”) during the Kerberos AS request. Per section 3.2.1 of RFC 4556 spec, for this key exchange to work, the client has to both support and notify the key distribution centre (KDC) of their support for des-ede3-cbc (“triple DES”). Clients who initiate Kerberos PKINIT with key-exchange in encryption mode but neither support nor tell the KDC that they support des-ede3-cbc (“triple DES”), will be rejected.
If your device is affected, Microsoft recommends in the first instance to check if more recent firmware, which may fix the issue, is available from your vendor. Microsoft is also working on a work-around, which is not available yet, but recommends companies petition their vendor to deliver an update or offer a workaround.
Microsoft notes that devices that are affected when using smart card (PIV) authentication should work as expected when using username and password authentication.