Microsoft - Mises à jour novembre 2022 - Problème Kerberos

Kerberos issues with November 2022 updates

After installing the November 2022 updates, many users are experiencing issues with Kerberos authentication on machines joined to an Active Directory domain. What’s going on ?

Again this month, Windows updates create problems for administrators and disrupt the operation of machines integrated into an Active Directory environment. This time, it is the Kerberos authentication that is causing disruption.

The American firm is aware of this problem and investigations are underway in order to offer a solution to companies. On the official website it reads:After installing updates released November 8, 2022 on Windows servers with the domain controller role, you may experience issues with Kerberos authentication.

When this new problem occurs, a specific event is generated on the domain controller, within the System log. This error with theID 14 and named “Microsoft-Windows-Kerberos-Key-Distribution-Center Event” includes the following message: “While processing an AS request for target service , the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of will generate a proper key.“- This is mostly the part”the missing key has an ID of 1” which corresponds to this particular problem.

Microsoft also lists different scenarios that can generate this error and cause a Kerberos authentication problem:

  • Domain user login may fail. This can also affect ADFS authentication
  • The gMSA managed service accounts used for services such as IIS Web Server may not authenticate
  • The connexions Remote Desktop using domain users may fail.
  • It is possible that you cannot access shared folders on workstations and file shares on servers.
  • Printing that requires authentication domain user may fail.

We see all the same that this makes a lot of very common scenarios… And this would be linked to the patch put in place for the CVE-2022-37966 security flaw although Microsoft did not specify.

The BleepingComputer site also evokes a Kerberos problem when the option “This account supports 128-bit AES encryption via Kerberos” or “This account supports 256-bit AES encryption via Kerberos” is checked, which is not the case by default. For its part, Microsoft does not mention these options for the moment.

Machines not joined to an Active Directory domain or joined to an Azure Active Directory environment without hybridization are not impacted.

Which versions of Windows are affected?

This problem affects a very large majority of versions of Windows since we are talking about all versions from Windows 7 SP1 to Windows 11which includes Windows 10 by the way, as well as all versions from Windows Server 2008 SP2 to Windows Server 2022.

For the moment, Microsoft does not give workarounds even if it is always possible to uninstall the updates. To be continued in the next few days.

Source

Logiciel – OS,Sécurité,Microsoft,Mise à jour,Windows,

#Kerberos #issues #November #updates

Leave a Comment

Your email address will not be published. Required fields are marked *