Microsoft has released optional out-of-band (OOB) updates to fix known issues with Kerberos sign-in failures and other authentication problems on domain controllers. These problem arise after installing November 2022 Cumulative Updates.
To the remind, the November updates (KB5021131) were here to fix CVE-2022-37966. With them, a lot of companies were impacted with Kerberos issues.
The (non exhaustive) impacted Kerberos authentication scenarios are:
- Domain user sign-in might fail. This also might affect Active Directory Federation Services (AD FS) authentication
- Group Managed Service Accounts (gMSA) might fail to authenticate
- Users might be unable to access shared folders and file shares
- Printing that requires domain user authentication might fail
- Remote Desktop connections using domain users might fail to connect
In addition, you may get event ID 14 in System logs (Microsoft-Windows-Kerberos-Key-Distribution-Center).
The Out of bands updates are release the 18th November 2022 and are available only on the Microsoft Update Catalog. As these updates only fix the problem with November updates, they won’t be available via Windows Update.
These updates are only for domain controllers, nothing to do on workstations/servers domain members.
Microsoft also released standalone updates which can be imported into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager:
Clap
Comments