Active Directory

Kerberos Authentication failure after installing the November 2022/OOB updates?

Kerberos Authentication

Hello All,

Hope this post finds you in good health and spirit.

Kerberos Authentication failure after installing the November 2022/OOB updates?

The Kerberos Key Distribution Center (KDC) Service on the Domain Controller has changed how it determines what encryption types are supported by the KDC and what encryption types are supported by default for users, computers, Group Managed Service Accounts (gMSA), and trust objects within the domain. This change was made with the November 2022 security update.

If you are unaware of the types of Kerberos encryption or what the Windows Operating System supports, it is highly advised that you read the following article before continuing:

Understanding Kerberos encryption types: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-…

Be informed that there were some unexpected behavior with the November update before we get into everything that has changed:

November out-of-band announcement: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/november-2022-out-of-band-upd…

Kerberos changes related to Encryption Type: https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-rela…

November out-of-band guidance: https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#2961

You can have Kerberos authentication issues on Windows domain controllers after applying November 8, 2022’s Windows updates.

The logging of Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 with this particular signature in the event message content on DC role PCs identifies this specific failure.

Solution

Step 1

The most recent Windows update should be uninstalled from the Domain Controllers.

Even though it is not advised, this reopens lines of contact. These interactions must be restored first since the solution relies on communications with Active Directory and via Group Policy.

Step 2

Find any Group Policy Objects (GPOs) that are used to configure Network Security: Set the encryption types that are permitted for Kerberos Group Policy. Remove this setting from the list of the devices that are impacted by the problems, or, as Microsoft suggests, set it to Not Configured.

Restart the affected domain-joined devices, push the updated configuration from Group Policy Management (gpmc.msc), or wait up to 120 minutes for background Group Policy refreshes to take effect.

Step 3

Find any Active Directory object that has the msDS-supportedEncryptionTypes property specified with values.

Get-ADObject -Filter “msDS-supportedEncryptionTypes -bor 0x18 -and -not msDS-supportedEncryptionTypes -bor 0x7”

Configure the available Kerberos key encryption types to either the ones that were listed in the event or delete any specifically defined attributes that:

Do not filter in the AES256 HMAC SHA1 SK encryption type that was added with the November 2022 updates, and do not include the RC4 HMAC MD5 encryption type (bit 3, represented by the decimal value 4 or the hexadecimal value 0x4) (bit 6, represented by the decimal value 32 or the hexadecimal value 0x20).
Instead of being supplied in decimal format, the msDS-supportedEncryptionTypes property is provided in HEX format. 

Step 4

From the Domain Controllers, reinstall the most current Windows update.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended content

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

Netlogon Folder in Active Directory

Custom Attributes in Active Directory

Tombstone Lifetime of My Active Directory Forest

Computers AD Site From the Command Line

Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

Replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button