RMAD Backup Failure: A logon request contained an invalid logon type value
January 10, 2023—KB5022286
This update addresses security issues for your Windows operating system.
Improvements
This security update includes improvements. When you install this KB:
-
New! This update provides the Quick Assist application for your client device.
-
This update addresses an issue that might affect authentication. It might fail after you set the higher 16-bits of the msds-SupportedEncryptionTypes attribute. This issue might occur if you do not set the encryption types or you disable the RC4 encryption type on the domain.
-
This update addresses an issue that affects cluster name objects (CNO) or virtual computer objects (VCO). Password reset fails. The error message is, “There was an error resetting the AD password… // 0x80070005”.
-
This update addresses an issue that affects Microsoft Defender for Endpoint. Automated investigation blocks live response investigations.
-
This update addresses a known issue that affects apps that use Microsoft Open Database Connectivity (ODBC) SQL Server Driver (sqlsrv32.dll) to connect to databases. The connection might fail. You might also receive an error in the app, or you might receive an error from the SQL Server.
If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
For more information about security vulnerabilities, please refer to the new Security Update Guide website and the January 2023 Security Updates.
RMAD Backup Failure: A logon request contained an invalid logon type value
Unable to create backups with a gMSA account in RAMD tool after installing Microsoft Feb month patches
Issue Description
RMAD is unable to connect to SQL using a gMSA account after installing Jan or Feb month Microsoft patches. After Oct month, there were numbers of changes happened in Kerberos, KDC and net logon channel and Microsoft has released these changes via patches.
Due to these patches, Legacy application stopped working and they are unable to authentication with KDC via latest encrypt ions 128 and 256 encryptions method. After installing these Microsoft patches KB5022289/KB5022286/KB5022845/KB5022836 backups are not being created with a gMSA account and error message triggered: “A logon request contained an invalid logon type value”
Cause
The behavior change has been confirmed to be the result of a deliberately change made by Microsoft to fix a security issue with group managed service accounts (gMSA). This RMAD functionality breaking change was introduced with Microsoft Security Patch KB5022289/KB5022286/KB5022845/KB5022836 and was released to fix a security issue for gMSA.
After installing the Nov month patches, MS stopped supporting the RC4 encryption for Legacy application and we are suspecting RMAD integrated SQL server still using the NTLM lower version with RC4 encryption and that is main reason for not creating the SPN for SQL server via gMSA account.
And, due to SPN registration issue, gMSA account unable to connect the SQL server and backup was failure with this error. Note- SQL server is required to store the RMAD backup related information
Resolution
There is no permanent solution for this problem however we are still testing the solution in our lab to make gMSA as compatible with RMAD product.
- Make the changes in RAMD server object and make this support RC4 encryption.
- Make the changes in SPN and allow it work with latest encryption.
- Convert the RMAD service account from gMSA to a non-gMSA account to resolve this error.
- Uninstall the latest patches from the RMAD serve and RMAD support the backup operation for gMSA accounts.
So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!
Recommended content
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Disabling and enabling replication on schema master domain controller
How to enable strict replication consistency
How to prevent lingering objects replication in active directory
AD replication process overview
How to force active directory replication
Change notification in replication process
How to check replication partner for a specific domain controller
dcdiag test replications
Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.