Microsoft’s latest cumulative updates that were released earlier this week for Windows 11 broke a vital business security feature. The fix has not yet been published, but Microsoft expects to have one ready in the coming weeks.
As reported by BleepingComputer (opens in new tab), the Redmond software giant recently acknowledged certain issues with the Kerberos authentication protocol after November’s Patch Tuesday.
“After installing updates released on November 8, 2022, or later on Windows Servers with the Domain Controller role, you might have issues with Kerberos authentication,” Microsoft said.
Failing to sign in
“When this issue is encountered you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text,” the company explained.
BleepingComputer readers reported that the update breaks Kerberos, the default authentication protocol for domain-connected Windows endpoints, days previously.
One explained that the protocol breaks “in situations where you have set the ‘This account supports Kerberos AES 256 bit encryption’, or ‘This account supports Kerberos AES 128 encryption’ Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD.”
According to the report, some of the Kerberos authentication scenarios include domain user sign-in failing and affecting Active Directory Federation Services authentication in the process, Remote Desktop connections using domain users failing to connect, and several others.
The affected platforms include most Windows versions since Windows 7 (Windows 7 SP1, Windows 8.1, Windows 10 Enterprise LTSC 2019, Windows 10 Enterprise LTSC 2016, Windows 10 Enterprise 2015 LTSB, Windows 10 20H2, Windows 11 21H2), and some Server version (Windows Server 2008 SP2, Windows Server 2022)-.
Home customers and users not enrolled in an on-premises domain are not affected by this bug, it was added. Furthermore, the flaw doesn’t impact non-hybrid Azure Active Directory environments, as well as those without an on-prem Active Directory server.
