Active Directory

Legacy applications are not working after installing the Jan 2023 patches

Hello All,

Hope this post finds you in good health and spirit.

2003 servers’ authentication is not working after installing the Jan 2023 patches.

Kerberos authentication is failing after installing the Jan 2023 patches. it has been detected and reported earlier in November and  It seems that Microsoft have released already a fix, as documented in the Known Issues section of this rollup but again issue is detected in jan month patches.

Shared folder are not accessible 

“Domain credentials are not working” error in Remote Desktop Connections

Error in Legacy application authentication.

Error: GSSException: Failure unspecified at API level (Mechanism level: AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_cnctypes list)

The November and Jan 2023 updates, according to MS “break Kerberos in situations where you have set the ‘This account supports Kerberos AES 256 bit encryption’ or ‘This account supports Kerberos AES 128 bit encryption’ Account Options set” (i.e., the msDS-SupportedEncryptionTypes attribute on user accounts in AD). Any Kerberos authentication situation inside impacted business setups can be impacted by the known problem, which Microsoft is currently investigating.

You can have Kerberos authentication problems on Windows Servers with the Domain Controller role after installing updates issued on November 8, 2022 or later. According to Microsoft. You can see a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of your Domain Controller’s Event Log with the following language when this problem arises.

The phrase “the missing key has an ID of 1” will be used to identify errors that are recorded in the system event logs of impacted systems. The account “account name” didn’t have an appropriate key for producing a Kerberos ticket while processing an AS request for the target service “service,” and the missing key has an ID of 1, according to the reported problems. The following examples of Kerberos authentication situations are just a few.

  • Signing in as a domain user might fail. Authentication with Active Directory Federation Services (AD FS) may potentially be impacted by this.
  • It’s possible for Group Managed Service Accounts (gMSA) to have authentication issues when used with services like Internet Information Services (IIS Web Server).
  • Domain user remote desktop connections might not succeed.
  • Shared folders on workstations and file shares on servers may not be accessible.
  • Printing operations that need domain

There are many workaround to fix this problem. We will explain all the workaround those will help to resolve this problem but before that please understand the RC4 and AES 256 encryption. The main difference between AES and RC4 is that they use separate ciphers. AES is blocking encryption that uses block sizes to encode plain text.  On the other hand, RC4 is a stream encryption algorithm that encrypts a bit at a time, similar to how a stream flows. Comparison Table Between AES and RC4

Parameters AES RC4
Meaning The Advanced Encryption Standard is a type of symmetric block encryption. Rivest Cipher 4 is a symmetric stream cipher.
Source In 1997, an open contest was held to design AES. In 1987, Ron Rivest created RC4.
Security AES is a much more secure algorithm than RC4. RC4 is much less safe than AES.
Key lengths 128, 192, and 256 bits 64 or 128 bits
Uses SSL, TSL, etc. NASA, NIST, etc

Workaround

Please add the below registry entry on domain controllers to support RC4 protocol.

HKLM\SYSTEM\CurrentControlSet\Services\KDC\DefaultDomainSupportedEncTypes with a value of 0x7.

If you have multiple domain controllers in environment, please add this registry value via GPO instead making changes on all DCs manually. But please keep in mind this is temporary workaround and we should not place it as permanently. As we know RC4 encryption is insecure and vulnerable and we should not keep our domain controller as vulnerable. Also change the value of computer object in AD for the Windows Server 2003 file server msDS-SupportedEncryptionTypes attirbute a value of 4.

You can use the powershell command:

Set-ADComputer NameSERVERWithUnsupportedSO -Add @{'msDS-SupportedEncryptionTypes'=4}
Or
Set-ADComputer NameSERVERWithUnsupportedSO -Add @{'msDS-SupportedEncryptionTypes'=7}

Important note- Please try to upgrade your existing Legacy applications to higher encryption so that your application can authenticate with domain controllers that are using AES 128 and AES 256 bit encryption.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended content

How to Check the Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

What is Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

How to export replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Disabling and enabling replication on schema master domain controller

How to enable strict replication consistency

How to prevent lingering objects replication in active directory

AD replication process overview

How to force active directory replication

Change notification in replication process

How to check replication partner for a specific domain controller

dcdiag test replications

Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button