Microsoft’s latest update comes with a known issue that causes enterprise domain controllers to experience Kerberos failures and other authentication problems. Updates released during the week of January 10th are affected.
Microsoft has transitioned the default authentication protocol for domain-connected devices from NTLM to Kerberos from Windows 2000 onward.
Readers of BleepingComputer reported that the November updates break KERBEROS in “situations where you have set the ‘This account supports Kerberos AES 256-bit encryption’ or ‘This account supports Kerberos AES 128-bit encryption’ Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD.”
Windows DirectAccess is Microsoft’s solution to provide quick and reliable access to remote locations. On the other hand, Windows DirectAccess connectivity issues can cause connection interruptions, disconnections, and general disruptions in service.
Known issues are an early warning sign of potential security risks. Redmond is investigating this issue, and many other known issues too, so that your business stays secure.
“After installing updates released on November 8, 2022 or later on Windows Servers with the Domain Controller role,” Microsoft explained.
“When this issue is encountered, you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text.”
Logging errors in the system event logs on impacted systems will be tagged with the phrase “the missing key has an ID of 1.”
If a request for target service is being processed, account doesn’t have an up-to-date key for generating a Kerberos ticket.
The list of Kerberos authentication scenarios includes but is not limited to:
Author’s note: Certain sentences can not be rewritten without changing the meaning of the sentence.
If domain user sign-in fails, Active Directory Federation Services (AD FS) authentication may also fail.
If a Group Managed Service Account is used for IIS Web Server, it might fail to authenticate.
If you’re using a domain user, there might be some troubles connecting remotely.
​Many people have been having difficulties getting to shared folders on workstations and file shares on servers due to a new security measure.
If you’re using a print option that requires domain user authentication, it might fail.
Herpers’ clients include both small and large companies that need powerful payment solutions for their visitors.
Read the complete list of affected platforms, including client and server releases.
Microsoft makes operating systems for all types of devices, with some consumer PCs and tablets, as well as other Windows devices for enterprise and small businesses
Servers (on Windows) are designed to create and share a Virtual Machine environment with other servers. Servers helps you manage hardware requirements, hardware management settings, software updates, system management tasks, and more. The 5th edition release of this product is available here: https://www.microsoft.com/en-us/server-cloud/windows-server-products
Microsoft has started enforcing security hardening for Netlogon and Kerberos. These are two known issues, but they’re not expected as Microsoft wouldn’t have invested this time in a loophole they haven’t seen in many years.
None of the people impacted by this issue are home customers or those enrolled in an on-premises domain. All Azure Active Directory environments and those that don’t have on-premises Active Directory servers are unaffected by this issue.
Microsoft is looking into a fix for this known issue, and they estimate that it should be available in the next few weeks.
Microsoft has also addressed a similar Kerberos authentication issue affecting users of its Windows operating system. The November 2020 Patch Tuesday security updates caused the issue, but Redmond vouched to fix it.