Microsoft has released optional out-of-band (OOB) updates to fix a known issue triggering Kerberos sign-in failures and other authentication problems on enterprise Windows domain controllers after installing cumulative updates released during November's Patch Tuesday.
The company acknowledged and started investigating on Monday when it also said that the known issue could affect any Kerberos authentication scenario within affected enterprise environments.
While Microsoft has also started enforcing security hardening for Kerberos and Netlogon beginning with the November 2022 Patch Tuesday, it said that these auth problems are not an expected result.
Auth issues on impacted Windows versions
"After installing updates released on November 8, 2022 or later on Windows Servers with the Domain Controller role, you might have issues with Kerberos authentication," Microsoft explained.
"When this issue is encountered you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text."
The list of impacted Kerberos auth scenarios includes but is not limited to the following:
- Domain user sign-in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
- Remote Desktop connections using domain users might fail to connect.
- You might be unable to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication might fail.
Fix released for affected Windows versions
Today, Microsoft has released OOB emergency updates that Windows admins have to install on all Domain Controllers (DCs) in affected environments.
"You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue," Microsoft says.
"If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them."
The OOB updates released today are available only via the Microsoft Update Catalog and will not be offered via Windows Update.
Redmond has released cumulative updates for installation on Domain Controllers (no action needed on the client side):
Microsoft also released standalone updates which can be imported into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager:
- Windows Server 2012 R2: KB5021653
- Windows Server 2012: KB5021652
- Windows Server 2008 R2 SP1: KB5021651
- Windows Server 2008 SP2: KB5021657
You can find detailed WSUS deployment instructions on the WSUS and the Catalog Site and Configuration Manager instructions on the Import updates from the Microsoft Update Catalog page.
"If you are using security only updates for these versions of Windows Server, you only need to install these standalone updates for the month of November 2022," Microsoft added.
"If you are using Monthly rollup updates, you will need to install both the standalone updates listed above to resolve this issue, and install the Monthly rollups released November 8, 2022 to receive the quality updates for November 2022."
Two years ago, Redmond addressed similar Kerberos auth problems affecting Windows systems caused by security updates released with the November 2020 Patch Tuesday.
Update November 18, 21:26 EST: Added link to Windows Server 2008 R2 SP1 standalone update.
Comments
JJTM001 - 1 year ago
Hi,
I take my chance to get an answer from here. First we took many precaution with this new security update from Microsoft in the last weeks. We have decided to discard the initial version of november 8th, then we had wait until the arrival of the "Out-of-band" revision before releasing on my domain controllers. Almost works fine... But we are facing a serious problem against some Windows Server 2003 members servers still in our domain. I search on the Web and nobody talk about that.
The issue:
When I try to access a Windows server 2003 file share (SMBv1) from a Windows 7 (not patched)/7 ESU Y3 (patched) or Windows 10 patched or not) or a Windows Server 2008 R2, 2012 R2, 2016, etc. , it no more possible since my DCs are patched with 2022-11 OOB. If I rollback my DCs with 2022-10, it work fine !