Microsoft Fixes Windows Kerberos Authentication Issues in Emergency Updates

Microsoft has released optional out-of-band (OOB) updates to address a known issue causing Kerberos login failures and other authentication issues on enterprise Windows domain controllers after installing cumulative updates released on Patch Tuesday in November.

The company has recognized and began to investigate Monday when he also said the known issue could affect any Kerberos authentication scenario in affected enterprise environments.

While Microsoft has also started implementing security hardening for Kerberos and Netlogon starting with Patch Tuesday November 2022, he said these authentication issues are not an expected result.

Authentication issues on affected Windows versions

“After installing updates released on November 8, 2022 or later on Windows servers with the domain controller role, you might experience issues with Kerberos authentication,” Microsoft explained.

“When this problem is encountered, you may receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of the event log on your domain controller with the text below.”

The list of affected Kerberos authentication scenarios includes, but is not limited to, the following:

Fix released for affected Windows versions

Today, Microsoft released emergency OOB updates for Windows administrators to install on all domain controllers (DCs) in affected environments.

“You do not need to install any updates or make any changes to other servers or client devices in your environment to resolve this issue,” Microsoft says.

“If you used a workaround or mitigations for this issue, they are no longer needed and we recommend that you remove them.”

OOB updates released today are only available through the Microsoft Update Catalog and will not be offered through Windows Update.

Redmond has released cumulative updates for installing on domain controllers (no client-side action needed):

Microsoft has also released standalone updates that can be imported into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager:

The only affected platform still awaiting a fix is ​​Windows Server 2008 R2 SP1. Redmond says a dedicated update will be available next week.

You can find detailed WSUS deployment instructions on the WSUS and the catalog site and Configuration Manager instructions on the Import updates from the Microsoft Update Catalog page.

“If you only use security updates for these versions of Windows Server, you only need to install these November 2022 standalone updates,” Microsoft added.

“If you are using Monthly Cumulative Updates, you will need to install the two standalone updates listed above to resolve this issue, and install the monthly patches released November 8, 2022 to receive quality updates for November 2022 .”

Two years ago, Redmond addressed similar Kerberos authentication issues affecting Windows systems caused by security updates released with the November 2020 patch on Tuesday.

Leave a Comment

Your email address will not be published.