Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos sign-in failures and other authentication problems after installing cumulative updates released during this month's Patch Tuesday.
Kerberos has replaced the NTLM protocol as the default authentication protocol for domain-connected devices on all Windows versions above Windows 2000.
BleepingComputer readers also reported three days ago that the November updates break Kerberos "in situations where you have set the 'This account supports Kerberos AES 256 bit encryption' or 'This account supports Kerberos AES 128 bit encryption' Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD."
The known issue, actively investigated by Redmond, can affect any Kerberos authentication scenario within affected enterprise environments.
"After installing updates released on November 8, 2022 or later on Windows Servers with the Domain Controller role, you might have issues with Kerberos authentication," Microsoft explained.
"When this issue is encountered you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text."
Errors logged in system event logs on impacted systems will be tagged with a "the missing key has an ID of 1" keyphrase.
"While processing an AS request for target service <service>, the account <account name> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1)," the logged errors read.
The list of Kerberos authentication scenarios includes but is not limited to the following:
- Domain user sign-in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
- Remote Desktop connections using domain users might fail to connect.
- You might be unable to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication might fail.
Affects both client and server platforms
The complete list of affected platforms includes both client and server releases:
- Client: Windows 7 SP1, Windows 8.1, Windows 10 Enterprise LTSC 2019, Windows 10 Enterprise LTSC 2016, Windows 10 Enterprise 2015 LTSB, Windows 10 20H2 or later, and Windows 11 21H2 or later
- Server: Windows Server 2008 SP2 or later, including the latest release, Windows Server 2022.
While Microsoft has started enforcing security hardening for Netlogon and Kerberos beginning with the November 2022 Patch Tuesday, the company says this known issue is not an expected result.
The issue does not impact devices used by home customers and those that aren't enrolled in an on-premises domain. Also, it doesn't impact mom-hybrid Azure Active Directory environments and those that don't have on-premises Active Directory servers.
Microsoft is working on a fix for this known issue and estimates that a solution will be available in the coming weeks.
Redmond has also addressed similar Kerberos authentication problems affecting Windows systems caused by security updates released as part of November 2020 Patch Tuesday.
Comments
NoneRain - 1 year ago
Those having Event ID 42, this might help:
https://dirteam.com/sander/2022/11/09/knowledgebase-you-experience-errors-with-event-id-42-and-source-kdcsvc-on-domain-controllers/
WhyYouLoveMe - 1 year ago
"Those having Event ID 42, this might help:https://dirteam.com/sander/2022/11/09/knowledgebase-you-experience-errors-with-event-id-42-and-source-kdcsvc-on-domain-controllers/"
Going to try this tonight. I'm hopeful this will solve our issues. What a mess, Microsoft...
h_b_s - 1 year ago
How does Microsoft expect IT staff to keep their essential business services up-to-date when any given update has a much-larger-than-zero chance of breaking something businesses depend on to get work done?
Microsoft's answer has been "Let us do it for you, migrate to Azure!" but that's not a real solution for several reasons, not least of which are privacy and regulatory compliance concerns. But there's also the problem of maintaining 24/7 Internet access at all the business' facilities and clients. Misconfigurations abound as much in cloud services as they are on premises.
Microsoft doesn't give IT staff any time to verify the quality of any patches before availability (outside of C-week preview patches- which doesn't actually contain the security patches - not really useful for testing since patch Tuesday is always cumulative, not separate.). The beta and preview chanels don't actually seem to preview anything resembling releases, instead they're A/B testing which is useless to anyone outside of Microsoft. Meanwhile businesses are getting sued for negligence for failing to patch, even if those patches might break more than they fix. CISOs/CSOs are going to jail for failing to disclose breaches. Disclosing those breaches is likely to get their company sued or in some jurisdictions open them up to regulatory fines...
This is becoming one big cluster fsck! To paraphrase Jack Nicolson: "This industry needs an enema!"
EmJayDeals - 1 year ago
I don’t see any official confirmation from Microsoft. What is the source of this information?
psykoaussie - 1 year ago
I found this notification from Microsoft by doing a Google search (found it through another tech site though), but I did note that it is tagged under Windows 11, not Windows Server.
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-22h2#2953msgdesc
lucid_green - 1 year ago
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#november-2022
Here you go!
WhyYouLoveMe - 1 year ago
We're having problems with our on-premise DCs after installing the November updates. Event ID 14 errors from all our computers are logged even though our KrbtgFullPacSignature reg key is set to Audit Mode (2) per the Microsoft guide. We will likely uninstall the updates to see if that fixes the problems.
If you can, don't reboot computers! This seems to kill off RDP access.
Jez-The-Penguin - 1 year ago
Got bitten by this. Uninstalled the updates on the DCs, have since found that allegedly applying the reg settings from the support docs fixes the issue, however those docs, don't mention you have to do it immediate or stuff will break, they just imply they turn on Auditing mode.
They should have made the reg settings part of the patch, a bit lame not doing so.
Also turning on reduced security on the accounts by enable RC4 encryption should also fix it.
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
KB5021130: How to manage Netlogon protocol changes related to CVE-2022-38023
KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966
WhyYouLoveMe - 1 year ago
Uninstalling the November updates from our DCs fixed the trust/authentication issues. Hopefully, MS gets this corrected soon.
briangot - 1 year ago
From Reddit:
Workaround from MSFT engineer is to add the following reg keys on all your dcs. Fixed our issues, hopefully it works for you.
reg add "HKLM\\SYSTEM\\CurrentControlSet\\services\\kdc" /v KrbtgtFullPacSignature /t REG\_DWORD /d 0 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters" /v RequireSeal /t REG\_DWORD /d 0 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\services\\kdc" /v ApplyDefaultDomainPolicy /t REG\_DWORD /d 0 /f
edit: 3rd reg key was what ultimately fixed our issues after looking at a kdc trace from the domain controller.
JustinFlynn - 1 year ago
I don't know if the update was broken or something wrong with my systems. The registry key was not created ("HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc\" KrbtgtFullPacSignature) after installing the update. This is on server 2012 R2, 2016 and 2019.
MikeF757 - 1 year ago
Remove these patches from your DC to resolve the issue.
kb5020023 - Windows Server 2012
kb5019964 - Windows Server 2016
kb5019966 - Windows Server 2019
lucid_green - 1 year ago
I would add 5020009 for Windows Server 2012 non-R2. 5020023 is for R2.
Also, Windows Server 2022: KB5019081. That one is also on the list.
Good times! Skipping cumulative and security updates for AD DS and AD FS!
I will still patch the .NET ones.
Oton - 1 year ago
Top man, valeu.. aqui bateu certo. Adeus erro de Kerberos
lucid_green - 1 year ago
Looking at the list of services affected, is this just related to DS Kerberos Authentication? Should I not patch IIS, RDS, and Files Servers? Or is this just at the DS level? If I don't patch my DCs, am I good? Or should I skip this patch altogether?
MikeF757 - 1 year ago
The November OS updates listed above will break Kerberos on any system that has RC4 disabled. RC4 should be disabled unless you are running systems that cannot use higher encryption ciphers. So, this is not an Exchange specific issue. The solution is to uninstall the update from your DCs until Microsoft fixes the patch.
PrazAU - 1 year ago
Great to know this. We are about to push November updates
seanhennigan - 1 year ago
MS released out-of-band updates November 17, 2022. The fix is to install on DCs not other servers/clients. After installed these updates, the workarounds you put in place are no longer needed.
Windows Server 2022: KB5021656
Windows Server 2019: KB5021655
Windows Server 2016: KB5021654
Windows Server 2012 R2: KB5021653
Windows Server 2012: KB5021652
Windows Server 2008 R2 SP1: This update is not yet available but should be available in a week
Windows Server 2008 SP2: KB5021657
PrazAU - 1 year ago
oh well even after we patched with the November 17, 2022, we see Kerberos authentication issues. Example "Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate"
So, we are going role back November update completely till Microsoft fix this properly
123gopher - 1 year ago
I've held off on updating a few windows 2012r2 servers because of this issue. I'd prefer not to hot patch. As I understand it most servers would be impacted; ours are set up fairly out of the box. Can I expect msft to issue a revision to the Nov update itself at some point?
LearningWin - 1 year ago
Can anyone recommend any sites to sign up for notifications to warn us such as what we have just witnessed with MSFT released November patches potential issues? I have not been able to find much , most simply talk about post mortem issues and possible fixes availability time frames. I guess they cannot warn in advance as nobody knows until it's out there.