Skip to content

Latest News and Blogs

Microsoft’s effort to make Kerberos authentication more robust broke it on Windows Servers.

Release of out of band updates to rescue

After Kerberos network authentication was broken by November Patch Tuesday updates, Microsoft is now releasing fixes for issues with the Kerberos network authentication protocol on Windows Server.

As reported two weeks back, the updates released on November 8 or later that were installed on Windows Server with the Domain Controller responsibilities of managing network and identity security requests resulted in the disruption of Kerberos authentication capabilities. These issues ranged from failures in domain user sign-ins and Group Managed Service Accounts authentication to remote desktop connections not working.

Other problems included printer connections requiring domain user authentication failing and users being unable to access shared files on workstations.

At the time, Microsoft warned in its Windows Health Dashboard that “engineers are currently investigating this problem and that it may impact any Kerberos authentication in your environment.”

Microsoft released emergency out-of-band (OOB) patches late last week that may be applied to all Domain Controllers, claiming that customers don’t need to install additional updates or make modifications to other servers or client devices to fix the problem. The business added any workarounds that used to minimise the issue are no longer necessary and ought to be taken away.

 

Before applying these cumulative updates, you don’t need to apply any previous updates, according to Microsoft. “You do not need to delete the concerned updates before installing any later updates, including the [OOB] updates, if you have previously installed updates released on November 8, 2022.”

On an unsecured network like the internet, Kerberos is used to authenticate service requests between a number of trusted hosts, using secret-key encryption and a dependable third party to verify user identities and application functionality. It was developed by MIT researchers in the 1980s.

Microsoft started utilising Kerberos in Windows 2000, and the OS now ships with it as the default authorisation tool. There are more Kerberos versions available for various operating systems, such as Apple OS, that are supported by the Kerberos Consortium.

In response to two vulnerabilities identified as CVE-2022-37967 and CVE-2022-37966, the manufacturer released two upgrades on November 8 to tighten the security of Kerberos as well as Netlogon, another authentication technology. The authentication problems that were fixed by the most recent fixes were caused by those updates.

While processing an AS request for the target service, the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1), according to a notice labelled “Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event” in the System section of the Event Log on their Domain Controller. Users can manually import the patches into Windows Server Update Services for the standalone bundle of OOB updates by looking up the KB number in the Microsoft Update Catalog.

Users can manually import the patches into Windows Server Update Services for the standalone bundle of OOB updates by looking up the KB number in the Microsoft Update Catalog in addition to Endpoint Configuration Manager.