On patch Tuesday on November 8th, 2022, Microsoft aimed to fix six actively exploited vulnerabilities, and a total of 68 flaws. While these flaws were fixed, organizations are experiencing various issues revolving around Kerberos authentication on Windows servers and clients.
The list of flaws in Kerberos authentication includes but is not limited to the following:
- Domain user sign-in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
- Remote Desktop connections using domain users might fail to connect.
- You might be unable to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication might fail.
The issue is being heavily scrutinized by the Microsoft team in Redmond, WA, who estimates that a solution will be released in the coming weeks. However, a commentor on Bleeping Computer’s previous coverage of the November’s Patch Tuesday states that “Be warned, the November update absolutely breaks Kerberos in situations where you have set the ‘This account supports Kerberos AES 256 bit encryption’ or ‘This account supports Kerberos AES 128 bit encryption’ Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD.” They continue to say that organizations can work around this issue by disabling AES 128 and 256 bit encryption for domain users, and resetting those users’ passwords.