After the November patches, Windows Kerberos authentication fails
Kerberos authentication Issue
After downloading cumulative updates issued on this month’s Patch Tuesday, business domain controllers may encounter Kerberos sign-in failures and other authentication issues.
Microsoft is looking into this new known issue. On all Windows versions above Windows 2000, the Kerberos protocol has taken the place of the NTLM protocol as the default authentication protocol for domain-connected devices.
The November updates, according to MS “break Kerberos in situations where you have set the ‘This account supports Kerberos AES 256 bit encryption’ or ‘This account supports Kerberos AES 128 bit encryption’ Account Options set” (i.e., the msDS-SupportedEncryptionTypes attribute on user accounts in AD).
Any Kerberos authentication situation inside impacted business setups can be impacted by the known problem, which Microsoft is currently investigating.
You can have Kerberos authentication problems on Windows Servers with the Domain Controller role after installing updates issued on November 8, 2022 or later, according to Microsoft.
You can see a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of your Domain Controller’s Event Log with the following language when this problem arises.
The phrase “the missing key has an ID of 1” will be used to identify errors that are recorded in the system event logs of impacted systems. The account “account name” didn’t have an appropriate key for producing a Kerberos ticket while processing an AS request for the target service “service,” and the missing key has an ID of 1, according to the reported problems. The following examples of Kerberos authentication situations are just a few.
- Signing in as a domain user might fail. Authentication with Active Directory Federation Services (AD FS) may potentially be impacted by this.
- It’s possible for Group Managed Service Accounts (gMSA) to have authentication issues when used with services like Internet Information Services (IIS Web Server).
- Domain user remote desktop connections might not succeed.
- Shared folders on workstations and file shares on servers may not be accessible.
- Printing operations that need domain
Recommended content
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
Repadmin Replsummary
How to prevent lingering objects replication in active directory
AD replication process overview
Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.
If you have any question feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.