Microsoft confirms Kerberos authentication issues after Nov. 2022 updates

Windows[German]Microsoft has confirmed another issue with Kerberos authentication on Windows as of November 13, 2022 in conjunction with the November 2022 updates. I had already reported that the November 8, 2022 security updates could lead to these. Now Microsoft has revealed some more details about the issue.


Advertising


I had already reported on November 10, 2022 in the blog post Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues about the problems that occurred. However, the statements were based on statements discussed on Twitter. Now, an official confirmation by Microsoft on the November 13, 2022 update was made on the Windows Release Health Status page of Windows 11 22H2 as well as on the corresponding pages of Windows 10.

Details and affected Windows versions

The issue only affects Windows systems that communicate with domain controllers and authenticate using Kerberos. Windows devices used by individuals at home or devices that are not part of an on-premises domain are not affected by this issue. Azure Active Directory environments that are not hybrid and do not have Active Directory servers on-premises are not affected. Regarding the affected systems, the November 13, 2022 post Sign in failures and other issues related to Kerberos authentication states that:

Sign in failures and other issues related to Kerberos authentication. After installing updates released on or after November 8, 2022, on Windows servers with the Domain Controller role, Kerberos authentication issues may occur. This issue can affect any Kerberos authentication in your environment. Some scenarios that may be affected:

When this issue occurs, a Microsoft Windows Kerberos Key Distribution Center error event with event ID 14 may occur in the System section of the event log on the domain controller. The error event contains the text below.

While processing an AS request for target service <service>, 
the account <account name> did not have a suitable key for generating 
a Kerberos ticket (the missing key has an ID of 1). The requested 
etypes : 18 3. The accounts available etypes : 23 18 17. 
Changing or resetting the password of <account name> will generate 
a proper key.

Note: The affected events have the text "The missing key has an ID of 1".

Microsoft writes that this issue is not expected to have anything to do with the security hardening for Netlogon and Kerberos as part of the November 2022 updates. Microsoft developers are working on a fix and expect it to be available in the next few weeks. This known issue will be updated with more information as it becomes available. The following Windows platforms are affected by this bug:

Clients:
Windows 11, version 22H2;
Windows 11, version 21H2;
Windows 10, version 22H2;
Windows 10, version 21H2;
Windows 10, version 21H1;
Windows 10, Version 20H2;
Windows 10 Enterprise LTSC 2019;
Windows 10 Enterprise LTSC 2016;
Windows 10 Enterprise 2015 LTSB;
Windows 8.1;
Windows 7 SP1


Advertising

Server:
Windows Server 2022;
Windows Server 2019;
Windows Server 2016;
Windows Server 2012 R2;
Windows Server 2012;
Windows Server 2008 R2 SP1;
Windows Server 2008 SP2

Within the German blog post November 2022-Updates für Windows: Änderungen am Netlogon- und Kerberos-Protokoll and within the English version Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues affected administrators are discussing strategies how to mitigate the authentification issues. There is also a reference in the article to a PowerShell script to identify affected machines.

Similar articles:
Microsoft Security Update Summary (November 8, 2022)
Patchday: Windows 10-Updates (November 8, 2022)
Patchday: Windows 11/Server 2022-Updates (November 8, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (November 8, 2022)

Windows 10 20H2-22H2 Preview Update KB5018482 (Oct. 25, 2022)
Windows 11 22H2: Preview-Update KB5018496 (Oct. 25, 2022)
Windows 11 21H2: Preview Update (Oct. 25, 2022)
Windows Server 2022 Preview Update KB5018485 (Oct. 25, 2022)

Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues
Microsoft confirms Direct Access issues after Nov. 2022 updates


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in issue, Update, Windows and tagged , , , . Bookmark the permalink.

8 Responses to Microsoft confirms Kerberos authentication issues after Nov. 2022 updates

  1. rgi says:

    This update also breaks authentication with Servers 2003 apparently – one of our partners ran into this problem during updates' pre-deployment testing.

    • ibrahim says:

      we are having authentication issue with Servers 2003 too , is there any solution for that ?

      • rgi says:

        Came up with nothing so far. None of workarounds worked, or worked without side effects. At this moment they are keeping DCs without 2022-11 updates, and talking to the business side about finally replacing these. I do not beleive MS will do anything about Server 2003 problems, as it is out of support.

        • skippy99 says:

          Same problem here. We have a windows 2003 server running SQL 2000 and after the updates and patches we no longer could authenticate to SQL via windows auth. This also means you will not be able to patch DC's moving forward as all new cumulative updates will have this patch.

  2. sam khatha says:

    you might want to try this see if that work.
    Go to Domain controller, select users, account tab, under account option, check two boxes "This account support Kerberos AES 128 Bit Encryption and 256 Bit.

Leave a Reply

Your email address will not be published. Required fields are marked *