Microsoft issues update to fix Kerberos sign-in failures
A few days after Microsoft acknowledged problems with Kerberos authentication that affected Windows Servers with the Domain Controller role, causing domain user sign and Remote Desktop connections to fail, Microsoft released an emergency optional out-of-band (OOB) update.
There out-of-band updates available are (KB5021652, KB5021653, KB5021654, KB5021655, KB5021656, and KB5021657), all of which must be installed manually.
“After installing updates released on November 8, 2022 or later on Windows Servers with the Domain Controller role, you might have issues with Kerberos authentication. When this issue is encountered you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text,” Microsoft explained.
List of affected Kerberos auth scenarios includes: Active Directory Federation Services (AD FS) authentication; Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server); and Remote Desktop connections. Others include the inability to access shared folders on workstations and files shares on servers and the inability to carryout printing that requires domain user authentication.
Following the emergency patch, Microsoft’s security team discovered a new problem with Kerberos authentication on Windows Servers. In the new patch, it made another set of security hardening changes that fixed two vulnerabilities tracked as CVE-2022-37967 and CVE-2022-37966, but it also broke some key authentication scenarios at the same time, resulting in failed logins and failed RDP connections, which caused a bug.
Microsoft says in an update to the acknowledgement post in the known issues section of Windows release health: “This issue was resolved in out-of-band updates released November 17, 2022 for installation on all the Domain Controllers (DCs) in your environment. You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue. If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them.”
The sources for this piece include an article in BleepingComputer.
Watch this news on our YouTube channel: MICROSOFT issues update to fix KERBEROS sign-in failures