Windows Kerberos Authentication Breaks After November Updates

    271
    Windows Kerberos Authentication Breaks After November Updates

    After downloading cumulative updates distributed during this month’s Patch Tuesday, business domain controllers may encounter Kerberos sign-in failures and other authentication issues. Microsoft is looking into this new known issue.

    On all Windows versions above Windows 2000, the Kerberos protocol has taken the place of the NTLM protocol as the default authentication protocol for domain-connected devices.

    The November updates, according to readers of BleepingComputer, “break Kerberos in situations where you have set the ‘This account supports Kerberos AES 256 bit encryption’ or ‘This account supports Kerberos AES 128 bit encryption’ Account Options set” (i.e., the MSDS-SupportedEncryptionTypes attribute on user accounts in AD).

    Microsoft stated that Windows Servers with the Domain Controller role “may have Kerberos authentication difficulties after installing updates released on November 8, 2022, or later.”

    You can see a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of your Domain Controller’s Event Log with the following language when this problem arises.

    The phrase “the missing key has an ID of 1” will be used to identify errors that are recorded in the system event logs of impacted systems.

    The account name> did not have a valid key for issuing a Kerberos ticket (the missing key has an ID of 1), according to the reported errors. This occurred while processing an AS request for target service>.

    The following examples of Kerberos authentication scenarios are just a few.

    Signing in as a domain user could fail. Authentication with Active Directory Federation Services (AD FS) may also be impacted by this.

    It’s possible for Group Managed Service Accounts (gMSA) to have authentication issues when used with services like Internet Information Services (IIS Web Server).

    Domain user remote desktop connections might not succeed.

    Shared folders on workstations and file shares on servers may not be accessible.

    Printing operations that demand domain user authentication might not succeed.

    Both Client and Server Platforms are Affected

    Both client and server releases are included in the full list of impacted platforms:

    Windows 7 SP1, Windows 8.1, Windows 10 Enterprise LTSC 2016, Windows 10 Enterprise 2015 LTSB, Windows 10 20H2 or later, and Windows 11 21H2 or later are the supported clients.

    Server: Windows Server 2008 SP2 or later, including Windows Server 2022, the most recent version.

    Microsoft states this known issue is not the expected outcome despite beginning to enforce security hardening for Netlogon and Kerberos with the November 2022 Patch Tuesday.

    Devices used by residential clients and those not registered in an on-premises domain are unaffected by the problem. Additionally, it has no effect on environments using mom-hybrid Azure Active Directory or those without on-premises Active Directory servers.

    Microsoft is attempting to resolve this issue, and they anticipate having a remedy available in the upcoming weeks.

    Similar Kerberos authentication issues impacting Windows computers brought on by security upgrades delivered as part of November 2020 Patch Tuesday have also been fixed by Redmond.