[German]Microsoft has confirmed another issue with Kerberos authentication on Windows as of November 13, 2022 in conjunction with the November 2022 updates. I had already reported that the November 8, 2022 security updates could lead to these. Now Microsoft has revealed some more details about the issue.
Advertising
I had already reported on November 10, 2022 in the blog post Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues about the problems that occurred. However, the statements were based on statements discussed on Twitter. Now, an official confirmation by Microsoft on the November 13, 2022 update was made on the Windows Release Health Status page of Windows 11 22H2 as well as on the corresponding pages of Windows 10.
Details and affected Windows versions
The issue only affects Windows systems that communicate with domain controllers and authenticate using Kerberos. Windows devices used by individuals at home or devices that are not part of an on-premises domain are not affected by this issue. Azure Active Directory environments that are not hybrid and do not have Active Directory servers on-premises are not affected. Regarding the affected systems, the November 13, 2022 post Sign in failures and other issues related to Kerberos authentication states that:
Sign in failures and other issues related to Kerberos authentication. After installing updates released on or after November 8, 2022, on Windows servers with the Domain Controller role, Kerberos authentication issues may occur. This issue can affect any Kerberos authentication in your environment. Some scenarios that may be affected:
- Domain user logon may fail. This can also affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA), used for services such as Internet Information Services (IIS Web Server) may fail to authenticate. .
- Remote desktop connections with domain users may not be established.
- You may not be able to access shared folders on workstations and file shares on servers.
- Printing operations that require domain user authentication might fail.
When this issue occurs, a Microsoft Windows Kerberos Key Distribution Center error event with event ID 14 may occur in the System section of the event log on the domain controller. The error event contains the text below.
While processing an AS request for target service <service>,
the account <account name> did not have a suitable key for generating
a Kerberos ticket (the missing key has an ID of 1). The requested
etypes : 18 3. The accounts available etypes : 23 18 17.
Changing or resetting the password of <account name> will generate
a proper key.Note: The affected events have the text "The missing key has an ID of 1".
Microsoft writes that this issue is not expected to have anything to do with the security hardening for Netlogon and Kerberos as part of the November 2022 updates. Microsoft developers are working on a fix and expect it to be available in the next few weeks. This known issue will be updated with more information as it becomes available. The following Windows platforms are affected by this bug:
Clients:
Windows 11, version 22H2;
Windows 11, version 21H2;
Windows 10, version 22H2;
Windows 10, version 21H2;
Windows 10, version 21H1;
Windows 10, Version 20H2;
Windows 10 Enterprise LTSC 2019;
Windows 10 Enterprise LTSC 2016;
Windows 10 Enterprise 2015 LTSB;
Windows 8.1;
Windows 7 SP1
Advertising
Server:
Windows Server 2022;
Windows Server 2019;
Windows Server 2016;
Windows Server 2012 R2;
Windows Server 2012;
Windows Server 2008 R2 SP1;
Windows Server 2008 SP2
Within the German blog post November 2022-Updates für Windows: Änderungen am Netlogon- und Kerberos-Protokoll and within the English version Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues affected administrators are discussing strategies how to mitigate the authentification issues. There is also a reference in the article to a PowerShell script to identify affected machines.
Similar articles:
Microsoft Security Update Summary (November 8, 2022)
Patchday: Windows 10-Updates (November 8, 2022)
Patchday: Windows 11/Server 2022-Updates (November 8, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (November 8, 2022)
Windows 10 20H2-22H2 Preview Update KB5018482 (Oct. 25, 2022)
Windows 11 22H2: Preview-Update KB5018496 (Oct. 25, 2022)
Windows 11 21H2: Preview Update (Oct. 25, 2022)
Windows Server 2022 Preview Update KB5018485 (Oct. 25, 2022)
Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues
Microsoft confirms Direct Access issues after Nov. 2022 updates
Advertising
This update also breaks authentication with Servers 2003 apparently – one of our partners ran into this problem during updates' pre-deployment testing.
we are having authentication issue with Servers 2003 too , is there any solution for that ?
Came up with nothing so far. None of workarounds worked, or worked without side effects. At this moment they are keeping DCs without 2022-11 updates, and talking to the business side about finally replacing these. I do not beleive MS will do anything about Server 2003 problems, as it is out of support.
Same problem here. We have a windows 2003 server running SQL 2000 and after the updates and patches we no longer could authenticate to SQL via windows auth. This also means you will not be able to patch DC's moving forward as all new cumulative updates will have this patch.
you might want to try this see if that work.
Go to Domain controller, select users, account tab, under account option, check two boxes "This account support Kerberos AES 128 Bit Encryption and 256 Bit.
that worked for us , are there any side effects from that ?
issue is back again after installing KB5021653: Out-of-band update !!!!! any ideas ?
I read, that there are still issues.