Out-of-band updates fixes Kerberos authentication issues on DCs (Nov. 17, 2022)

Windows[German]The security updates released by Microsoft on November 8, 2022, are causing issues with Kerberos authentication to Windows Domain Controllers (DCs). Microsoft had confirmed this in the meantime and released anout-of-band update for Windows Server 2012 R2 to 1909 on November 17, 2022 to fix the  issue. Addendum: Missing updates for Windows Server 2008 SP2 through Windows Server 2022 are now available and have been added. Addendum 2: Update for Windows Server 2008 R2 added.


Advertising

I had already reported on the issue on November 10, 2022 in the blog post Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues. After installing updates released on November 8, 2022 or later on Windows servers with the Domain Controller role, Kerberos authentication issues may occur. This issue can affect any Kerberos authentication in your environment.

Domain users might fail to log in. Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate. Remote desktop connections to domain users may fail. Accesses to shared folders on workstations and file shares on servers may stop working.  And print operations that require domain user authentication may fail. Microsoft confirmed this in a separate post – see also the blog post Microsoft confirms Kerberos authentication issues after Nov. 2022 updates.

Updates fixes Kerberos Authentication issues

German blog reader Robert pointed out in this comment (thanks for that) that Microsoft has released unscheduled updates to fix Kerberos authentication issues as of November 17, 2022.

Addendum: I've found now the article Sign in failures and other issues related to Kerberos authentication on Windows Server 2022 Release health status, where Microsoft has announced the fixes.

The out-of-band updates are available for the following Windows Server versions and only need to be installed on Domain Controllers:

There was no update for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2022 when this article was written. This has been added in the meantime.


Advertising

Note: I haven't found an update for Windows Server 2008 R2 yet. I assumed so far anyway that Windows Server 2008 R2 was not affected by the problem. But it is said (see e.g. the above addendum) that Microsoft wants to roll out the update next week.

Regarding the fixes that the updates perform, Microsoft writes in its support posts:

Addresses a known issue that affects Windows Servers that have the Domain Controller (DC) role. They might have Kerberos authentication issues if both of the following are true:

  • You installed a Windows update on or after November 8, 2022 on the DC.
  • You configured the SupportedEncrytionType key to remove the RC4 cipher at a domain level or on individual account.

You might receive Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 errors. These appear in the System section of the Event Log on your DC. The affected events include the text, "the missing key has an ID of 1".

The updates must be downloaded from the Microsoft Update Catalog hand then manually installed on the Domain Controller (DC). For update KB5021655 for Windows Server 2019, Microsoft mentions a known issue (Cluster Service not starting). Details can be found in the support article linked above.

Similar articles:
Patchday: Windows 10-Updates (November 8, 2022)
Patchday: Windows 11/Server 2022-Updates (November 8, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (November 8, 2022)
Windows 10 20H2-22H2 Preview Update KB5020030 (Nov. 15, 2022)
Windows 11 21H2: Preview-Update KB5019157 (Nov. 15, 2022)

Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues
Microsoft confirms Kerberos authentication issues after Nov. 2022 updates


Advertising

This entry was posted in Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).