{"id":27675,"date":"2022-11-14T23:16:04","date_gmt":"2022-11-14T22:16:04","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=27675"},"modified":"2022-11-14T23:16:04","modified_gmt":"2022-11-14T22:16:04","slug":"microsoft-confirms-kerberos-authentication-issues-after-nov-2022-updates","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/11\/14\/microsoft-confirms-kerberos-authentication-issues-after-nov-2022-updates\/","title":{"rendered":"Microsoft confirms Kerberos authentication issues after Nov. 2022 updates"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/11\/14\/microsoft-besttigt-kerberos-authentifizierungsprobleme-nach-nov-2022-updates\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Microsoft has confirmed another issue with Kerberos authentication on Windows as of November 13, 2022 in conjunction with the November 2022 updates. I had already reported that the November 8, 2022 security updates could lead to these. Now Microsoft has revealed some more details about the issue.<\/p>\n<p><!--more--><br \/>\n<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg01.met.vgwort.de\/na\/1e3c755ca61241cab54cf277b8cbb41e\" alt=\"\" width=\"1\" height=\"1\" \/>I had already reported on November 10, 2022 in the blog post <a href=\"https:\/\/borncity.com\/win\/2022\/11\/10\/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues\/\">Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol \u2013 causing issues<\/a> about the problems that occurred. However, the statements were based on statements discussed on Twitter. Now, an official confirmation by Microsoft on the November 13, 2022 update was made on the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/release-health\/status-windows-11-22H2\" target=\"_blank\" rel=\"noopener\">Windows Release Health Status page<\/a> of Windows 11 22H2 as well as on the corresponding pages of Windows 10.<\/p>\n<h2>Details and affected Windows versions<\/h2>\n<p>The issue only affects Windows systems that communicate with domain controllers and authenticate using Kerberos. Windows devices used by individuals at home or devices that are not part of an on-premises domain are not affected by this issue. Azure Active Directory environments that are not hybrid and do not have Active Directory servers on-premises are not affected. Regarding the affected systems, the November 13, 2022 post <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/release-health\/status-windows-11-22H2#2953msgdesc\" target=\"_blank\" rel=\"noopener\">Sign in failures and other issues related to Kerberos authentication<\/a> states that:<\/p>\n<blockquote><p>Sign in failures and other issues related to Kerberos authentication. After installing updates released on or after November 8, 2022, on Windows servers with the Domain Controller role, Kerberos authentication issues may occur. This issue can affect any Kerberos authentication in your environment. Some scenarios that may be affected:<\/p>\n<ul>\n<li>Domain user logon may fail. This can also affect <a href=\"https:\/\/learn.microsoft.com\/en-us\/dynamics365\/business-central\/dev-itpro\/administration\/authenticating-users-with-active-directory-federation-service\" target=\"_blank\" rel=\"noopener\">Active Directory Federation Services (AD FS) authentication<\/a>.<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/group-managed-service-accounts\/group-managed-service-accounts-overview\" target=\"_blank\" rel=\"noopener\">Group Managed Service Accounts (gMSA)<\/a>, used for services such as\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/iis\/get-started\/introduction-to-iis\/iis-web-server-overview\" target=\"_blank\" rel=\"noopener\">Internet Information Services (IIS Web Server)<\/a> may fail to authenticate. .<\/li>\n<li>Remote desktop connections with domain users may not be established.<\/li>\n<li>You may not be able to access shared folders on workstations and file shares on servers.<\/li>\n<li>Printing operations that require domain user authentication might fail.<\/li>\n<\/ul>\n<\/blockquote>\n<p>When this issue occurs, a Microsoft Windows Kerberos Key Distribution Center error event with event ID 14 may occur in the System section of the event log on the domain controller. The error event contains the text below.<\/p>\n<pre><code>While processing an AS request for target service &lt;service&gt;, \r\nthe account &lt;account name&gt; did not have a suitable key for generating \r\na Kerberos ticket (the missing key has an ID of 1). The requested \r\netypes : 18 3. The accounts available etypes : 23 18 17. \r\nChanging or resetting the password of &lt;account name&gt; will generate \r\na proper key.<\/code><\/pre>\n<p>Note: The affected events have the text \"The missing key has an ID of 1\".<\/p>\n<p>Microsoft writes that this issue is not expected to have anything to do with the security hardening for Netlogon and Kerberos as part of the November 2022 updates. Microsoft developers are working on a fix and expect it to be available in the next few weeks. This known issue will be updated with more information as it becomes available. The following Windows platforms are affected by this bug:<\/p>\n<p><strong>Clients:<br \/>\n<\/strong>Windows 11, version 22H2;<br \/>\nWindows 11, version 21H2;<br \/>\nWindows 10, version 22H2;<br \/>\nWindows 10, version 21H2;<br \/>\nWindows 10, version 21H1;<br \/>\nWindows 10, Version 20H2;<br \/>\nWindows 10 Enterprise LTSC 2019;<br \/>\nWindows 10 Enterprise LTSC 2016;<br \/>\nWindows 10 Enterprise 2015 LTSB;<br \/>\nWindows 8.1;<br \/>\nWindows 7 SP1<\/p>\n<p><strong>Server:<br \/>\n<\/strong>Windows Server 2022;<br \/>\nWindows Server 2019;<br \/>\nWindows Server 2016;<br \/>\nWindows Server 2012 R2;<br \/>\nWindows Server 2012;<br \/>\nWindows Server 2008 R2 SP1;<br \/>\nWindows Server 2008 SP2<\/p>\n<p>Within the German blog post <a href=\"https:\/\/www.borncity.com\/blog\/2022\/11\/10\/november-2022-updates-fr-windows-nderungen-am-netlogon-und-kerberos-protokoll\/\">November 2022-Updates f\u00fcr Windows: \u00c4nderungen am Netlogon- und Kerberos-Protokoll<\/a> and within the English version <a href=\"https:\/\/borncity.com\/win\/2022\/11\/10\/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues\/\">Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol \u2013 causing issues<\/a> affected administrators are <a href=\"https:\/\/www.borncity.com\/blog\/2022\/11\/10\/november-2022-updates-fr-windows-nderungen-am-netlogon-und-kerberos-protokoll\/#comment-135782\" target=\"_blank\" rel=\"noopener\">discussing<\/a> strategies how to mitigate the authentification issues. There is also a reference in the article to a PowerShell script to identify affected machines.<\/p>\n<p><strong>Similar articles:<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/09\/microsoft-security-update-summary-november-8-2022\/\">Microsoft Security Update Summary (November 8, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/09\/patchday-windows-10-updates-november-8-2022\/\">Patchday: Windows 10-Updates (November 8, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/09\/patchday-windows-11-server-2022-updates-november-8-2022\/\">Patchday: Windows 11\/Server 2022-Updates (November 8, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/09\/windows-7-server-2008-r2-windows-8-1-server-2012-r2-updates-november-8-2022\/\">Windows 7\/Server 2008 R2; Windows 8.1\/Server 2012 R2: Updates (November 8, 2022)<\/a><\/p>\n<p><a href=\"https:\/\/borncity.com\/win\/2022\/10\/27\/windows-10-20h2-21h2-preview-update-kb5018482-25-10-2022\/\">Windows 10 20H2-22H2 Preview Update KB5018482 (Oct. 25, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/10\/27\/windows-11-22h2-preview-update-kb5018496-25-10-2022\/\">Windows 11 22H2: Preview-Update KB5018496 (Oct. 25, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/10\/27\/windows-11-21h2-preview-update-kb5018483-25-10-2022\/\">Windows 11 21H2: Preview Update (Oct. 25, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/10\/27\/windows-server-2022-preview-update-kb5018485-oct-25-2022\/\">Windows Server 2022 Preview Update KB5018485 (Oct. 25, 2022)<\/a><\/p>\n<p><a href=\"https:\/\/borncity.com\/win\/2022\/11\/10\/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues\/\">Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol \u2013 causing issues<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/11\/14\/microsoft-confirms-direct-access-issues-after-nov-2022-updates\/\" rel=\"bookmark\">Microsoft confirms Direct Access issues after Nov. 2022 updates<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft has confirmed another issue with Kerberos authentication on Windows as of November 13, 2022 in conjunction with the November 2022 updates. I had already reported that the November 8, 2022 security updates could lead to these. Now Microsoft has &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/11\/14\/microsoft-confirms-kerberos-authentication-issues-after-nov-2022-updates\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,22,2],"tags":[47,2751,195,194],"class_list":["post-27675","post","type-post","status-publish","format-standard","hentry","category-issue","category-update","category-windows","tag-issue","tag-patchday-11-2022","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/27675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=27675"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/27675\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=27675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=27675"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=27675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}