• Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

Windows Kerberos authentication breaks after November updates

WELCOME TO THEWINDOWSFORUM COMMUNITY!

Our community has more than 63,000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.

AFFASocial

Ultimate Donator
VIP
Jun 26, 2021
740
482

Windows Kerberos authentication breaks after November updates​

  • November 14, 2022
  • 08:42 AM
  • 1

Windows

Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos sign-in failures and other authentication problems after installing cumulative updates released during this month's Patch Tuesday.
Kerberos has replaced the NTLM protocol as the default authentication protocol for domain-connected devices on all Windows versions above Windows 2000.
BleepingComputer readers also reported three days ago that the November updates break Kerberos "in situations where you have set the 'This account supports Kerberos AES 256 bit encryption' or 'This account supports Kerberos AES 128 bit encryption' Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD."
The known issue, actively investigated by Redmond, can affect any Kerberos authentication scenario within affected enterprise environments.
"After installing updates released on November 8, 2022 or later on Windows Servers with the Domain Controller role, you might have issues with Kerberos authentication," Microsoft explained.
"When this issue is encountered you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text."
Errors logged in system event logs on impacted systems will be tagged with a "the missing key has an ID of 1" keyphrase.
"While processing an AS request for target service <service>, the account <account name> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1)," the logged errors read.
The list of Kerberos authentication scenarios includes but is not limited to the following:

Affects both client and server platforms​

The complete list of affected platforms includes both client and server releases:
  • Client: Windows 7 SP1, Windows 8.1, Windows 10 Enterprise LTSC 2019, Windows 10 Enterprise LTSC 2016, Windows 10 Enterprise 2015 LTSB, Windows 10 20H2 or later, and Windows 11 21H2 or later
  • Server: Windows Server 2008 SP2 or later, including the latest release, Windows Server 2022.
While Microsoft has started enforcing security hardening for Netlogon and Kerberos beginning with the November 2022 Patch Tuesday, the company says this known issue is not an expected result.
The issue does not impact devices used by home customers and those that aren't enrolled in an on-premises domain. Also, it doesn't impact mom-hybrid Azure Active Directory environments and those that don't have on-premises Active Directory servers.
Microsoft is working on a fix for this known issue and estimates that a solution will be available in the coming weeks.
Redmond has also addressed similar Kerberos authentication problems affecting Windows systems caused by security updates released as part of November 2020 Patch Tuesday.
 
Interesting fact. Server-side authentication travels thru many layers. First your system, then your network switches/routers, your ISP and the end network --> server. That's a lot of things to rely on to make some software work. I am starting to see random situations when security measures will interrupt that multi layer chain and let me tell you, it's a bitch to figure out because we are talking 2 way communication over sometimes funky ports and odd information packets all in the name of protecting software licenses. It can get out of hand. That's exactly what started me cracking protections, a hobby I have long given up.
 
Back