Microsoft says they are already aware of a new issue in Windows updates that causes corporate domain controllers to fail when using Kerberos authentication, as well as other authentication issues that have emerged since the November patches.
Let me remind you that we wrote that Microsoft Updates May Break Printing in Windows Server, and also that Microsoft Silently Fixes ShadowCoerce Bug.Let me remind you that the Kerberos protocol has long since replaced NTLM and has become the default authentication protocol for domain-joined devices in all versions of Windows above Windows 2000.
Bleeping Computer writes that immediately after the release of the November updates, users began to complain about the operation of Kerberos “in situations where you set the account settings to “This account supports 256-bit Kerberos AES encryption” or “This account supports 128-bit Kerberos encryption AES” (for example, the msDS-SupportedEncryptionTypes attribute) in user accounts in AD.”
According to Microsoft developers, the issue that arose after the updates can affect any scenario related to Kerberos authentication in enterprise environments.
In the logs, such errors are marked with the key phrase “the missing key has an ID of 1”.
The issue may occur in, but is not limited to, the following use cases for Kerberos authentication.
- Domain user logon may fail. This can also affect Active Directory Federation Services (AD FS) authentication.
- Authentication may not work when using Group Managed Service Accounts (gMSA) for services such as Internet Information Services (IIS Web Server).
- Remote desktop connections using domain users may not work.
- There may be problems accessing shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication may fail.
The full list of affected platforms includes both client and server versions.
- Clients: Windows 7 SP1, Windows 8.1, Windows 10 Enterprise LTSC 2019, Windows 10 Enterprise LTSC 2016, Windows 10 Enterprise 2015 LTSB, Windows 10 20H2 and later, and Windows 11 21H2 and later.
- Servers: Windows Server 2008 SP2 or newer, including the latest Windows Server 2022.
Microsoft said they are already working on a fix for this issue and expect a fix to be released “in the coming weeks.” It would be nice if the decision did not stretch for years, as in this case.