After downloading the cumulative updates provided on this month’s Patch Tuesday, enterprise domain controllers are experiencing Kerberos sign-in failures and other authentication issues. Microsoft is looking into this issue. All Windows editions after Windows 2000 use Kerberos instead of NTLM as the default authentication protocol for domain-connected devices.
Users who have “This account supports Kerberos AES 256 bit encryption” or “This account supports Kerberos AES 128 bit encryption” set as an Account Option (i.e., the MSDS-SupportedEncryptionTypes attribute) on user accounts in Active Directory have reported that the November updates have broken Kerberos. This issue was first reported three days ago on BleepingComputer.
Redmond is currently looking into the issue, which affects any enterprise environment that uses Kerberos authentication and might be exploited in a number of ways. Microsoft warned that “you might have issues with Kerberos authentication after installing updates released on November 8, 2022, or later on Windows Servers with the Domain Controller role.”
This error message may appear in the System log of your Domain Controller: “When this problem occurs, the Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event may be generated.” In the event logs of affected systems, any errors will be labeled with a “We know the ID of the lost key is 1 because…” key expression
Because the account name> lacked a valid key for generating a Kerberos ticket (the missing key has an ID of 1), an error occurred while processing an Access Request for the target service> “to read the errors that were recorded. The following are examples of when Kerberos authentication would be used:
- It’s possible that domain logins won’t work. Active Directory Federation Service (AD FS) authentication may also be impacted.
- There is a risk of failed authentication when using Group Managed Service Accounts (GMSA) for services like Internet Information Services (IIS Web Server).
- Domain user Remote Desktop connections may not establish successfully.
- File sharing on computers and servers could be inaccessible.
- It’s possible that printing from a domain user would fail.
Affects Both Client and Server Platforms
Every client and server version of these platforms is vulnerable:
Client: The following operating systems are supported: Windows 7 Service Pack 1 (SP1), Windows 8.1, Windows 10 Enterprise LTSC 2019 (LTSC), Windows 10 Enterprise LTSC 2016 (LTSC), Windows 10 Enterprise 2015 (LTSB), Windows 10 (20H2), and Windows 11 (21H2).
Server: Server 2008 Service Pack 2 or later, up to and including the newest iteration, Windows Server 2022.
Microsoft says this is not the desired consequence of the Netlogon and Kerberos security hardening that was implemented in the November 2022 Patch Tuesday. Devices used by consumers in their homes and those not joined to an enterprise network are immune to the vulnerability.
In addition, it has no effect on mom-hybrid Azure Active Directory environments or those without on-premises Active Directory servers. Microsoft has acknowledged the existence of this problem and claims a fix will be released within the next few weeks. Microsoft fixed the Kerberos authentication issues that had been plaguing Windows computers since the release of the November 2020 Patch Tuesday security updates.