Microsoft has released optional out-of-band (OOB) updates to fix a known issue triggering Kerberos sign-in failures and other authentication problems on enterprise Windows domain controllers after installing cumulative updates released during November’s Patch Tuesday. This issue was previously covered in ThreatWatch.
The company acknowledged and started investigating on Monday when it also said that the known issue could affect any Kerberos authentication scenario within affected enterprise environments. While Microsoft has also started enforcing security hardening for Kerberos and Netlogon beginning with the November 2022 Patch Tuesday, it said that these auth problems are not an expected result. “After installing updates released on November 8, 2022, or later on Windows Servers with the Domain Controller role, you might have issues with Kerberos authentication,” Microsoft explained. “When this issue is encountered, you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System Log of Event Log on your Domain Controller with the text below.”
The list of impacted Kerberos auth scenarios includes but is not limited to the following:
- Domain user sign-in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
- Remote Desktop connections using domain users might fail to connect.
- You might be unable to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication might fail.