Microsoft acknowledges Kerberos authentication issues caused by November updates
The torrent of problematic updates for Windows shows no signs of drying up. Since Patch Tuesday this month, Microsoft has already confirmed a Direct Access connectivity issue in various versions of Windows (which it sort of fixed by rolling back the update), now the company has issued a warning that this month's updates are also causing problems with Kerberos authentication.
Despite the fact the issue can lead to sign-in problems, failed Remote Desktop connections and printing not working, Microsoft is yet to offer either a fix or a workaround. Virtually every version of Windows is affected.
- Microsoft warns of Direct Access connectivity issues after installing KB5019509 update
- Windows 11 2022 Update is bad news for gamers
- Microsoft is becoming less generous with OneDrive storage if you use Outlook.com
Acknowledging the latest in a string of update-related problems, Microsoft says: "After installing updates released on November 8, 2022 or later on Windows Servers with the Domain Controller role, you might have issues with Kerberos authentication. This issue might affect any Kerberos authentication in your environment".
In a post in Windows Release Health about known issues, the company goes on to provide examples of some issues that users may experience:
- Domain user sign in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
- Remote Desktop connections using domain users might fail to connect.
- You might be unable to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication might fail.
When this issue is encountered you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text. Note: affected events will have "the missing key has an ID of 1":
While processing an AS request for target service <service>, the account <account name> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of <account name> will generate a proper key.
Note: This issue is not an expected part of the security hardening for Netlogon and Kerberos starting with November 2022 security update. You will still need to follow the guidance in these articles even after this issue is resolved.
Windows devices used at home by consumers or devices which are not part of a on premises domain are not affected by this issue. Azure Active Directory environments that are not hybrid and do not have any on premises Active Directory servers are not affected.
If you were hoping for a speedy fix, you're likely to be disappointed. Microsoft says that it is investigating the issue and estimates that a solution will be ready "in the coming weeks".