Fixing Kerberos Authentication Issues on Windows Server • The Register

Microsoft is rolling out fixes for issues with the Kerberos network authentication protocol on Windows Server after it was broken by November Patch Tuesday updates.

Like us reported last week, updates released November 8 or later that were installed on Windows Server with domain controller functions to handle network and identity security requests disrupted Kerberos authentication capabilities , ranging from domain user login failures and group managed service account authentication to remote desktop logins not connecting.

There were other issues as well, including users being unable to access shared folders on workstations and printer connections requiring domain user authentication to fail.

“This issue could affect any Kerberos authentication in your environment,” Microsoft wrote in its Windows Health dashboard at the time, adding that engineers were working to resolve the issue.

At the end of last week, Microsoft Published emergency out-of-band (OOB) updates that can be installed on all domain controllers, indicating that users do not need to install further updates or make changes to other servers or client devices to resolve the issue. Additionally, any workarounds used to mitigate the issue are no longer needed and should be removed, the company wrote.

“You don’t need to apply a previous update before installing these cumulative updates,” according to Microsoft. “If you have already installed the updates released on November 8, 2022, you do not need to uninstall the affected updates before installing subsequent updates, including the [OOB] updates.”

Kerberos is used to authenticate service requests between multiple trusted hosts on an untrusted network such as the Internet, using secret key cryptography and a trusted third party to authenticate applications and user identities. It was created in the 1980s by researchers at MIT.

Microsoft started using Kerberos in Windows 2000 and it is now the operating system’s default authorization tool. Other versions of Kerberos, maintained by the Kerberos Consortium, are available for other operating systems, including Apple OS, Linux, and Unix.

The seller on November 8 Published two updates to strengthen the security of Kerberos – as well as Netlogon, another authentication tool – following two vulnerabilities tracked as CVE-2022-37967 and CVE-2022-37966. These updates caused authentication issues that have been resolved by the latest patches.

Users of Windows systems with the bug have sometimes received a notice “Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14” error event in the System section of the event log on their domain controller with text that included: “When processing an AS request for the target service the account did not have an appropriate key to generate a Kerberos ticket (the missing key has an ID of 1).”

For the OOB updates standalone package, users can find the KB number in the Microsoft Update Catalog and manually import the patches into Windows Server Update Services (see instructions here) and Endpoint Configuration Manager (instructions here).

Microsoft has released cumulative updates to install on domain controllers: Windows Server 2022 (KB5021656), Windows Server 2019 (KB5021655) and Windows Server 2016 (KB5021654). ®

Leave a Reply

%d bloggers like this: