Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed

Search

Kerberos Authentication Issues After Novembers Patch Tuesday

On patch Tuesday on November 8th, 2022, Microsoft aimed to fix six actively exploited vulnerabilities, and a total of 68 flaws. While these flaws were fixed, organizations are experiencing various issues revolving around Kerberos authentication on Windows servers and clients.

The list of flaws in Kerberos authentication includes but is not limited to the following:

  • Domain user sign-in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
  • Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
  • Remote Desktop connections using domain users might fail to connect.
  • You might be unable to access shared folders on workstations and file shares on servers.
  • Printing that requires domain user authentication might fail.

The issue is being heavily scrutinized by the Microsoft team in Redmond, WA, who estimates that a solution will be released in the coming weeks. However, a commentor on Bleeping Computer’s previous coverage of the November’s Patch Tuesday states that “Be warned, the November update absolutely breaks Kerberos in situations where you have set the ‘This account supports Kerberos AES 256 bit encryption’ or ‘This account supports Kerberos AES 128 bit encryption’ Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD.” They continue to say that organizations can work around this issue by disabling AES 128 and 256 bit encryption for domain users, and resetting those users’ passwords.

Analyst Notes

Systems administrators can look for the “Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text,” according to Microsoft. The below text reads “While processing an AS request for target service , the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1)”. Users can find more specific information about possible signs of this issue in their Kerberos authentication here: https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-22h2
If organizations do find the need to follow the advice of disabling Kerberos AES 128 and 256 bit encryption in order to preserve business continuity, they should ensure that the encryption feature is re-enabled once Microsoft has fixed the issue.

https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentication-breaks-after-november-updates/

https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2022-patch-tuesday-fixes-6-exploited-zero-days-68-flaws/?sa=1#cid25203