Microsoft’s latest cumulative updates released earlier this week for Windows 11 broke an important business security feature. The fix has yet to be released, but Microsoft expects it to be ready in the coming weeks.
As reported by Beeping Computer (opens in a new tab)The Redmond-based software giant recently admitted to some issues with its Kerberos authentication protocol after November’s Patch Tuesday.
“After installing updates released on or after November 8, 2022 on Windows servers with a domain controller role, you may experience issues with Kerberos authentication,” Microsoft said.
Login failed
“If you encounter this issue, you may receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of the event log on a domain controller with the text below,” the company explained.
Beeping Computer readers reported that the update breaks Kerberos, the default authentication protocol for domain-connected Windows endpoints, a few days earlier.
One explained that the protocol breaks “in situations where you have set “This account supports Kerberos AES 256-bit encryption” or “This account supports Kerberos AES 128 encryption” (i.e. msDS-SupportedEncryptionTypes attribute) on user accounts in the NOTICE.”
According to the report, some Kerberos authentication scenarios include domain users failing to login and Active Directory Federation Services authentication process being affected, Remote Desktop connections using domain users unable to connect, and several others.
Affected platforms include most versions of Windows from Windows 7 (Windows 7 SP1, Windows 8.1, Windows 10 Enterprise LTSC 2019, Windows 10 Enterprise LTSC 2016, Windows 10 Enterprise 2015 LTSB, Windows 10 20H2, Windows 11 21H2) and some Server versions (Windows Server 2008 SP2, Windows Server 2022)-.
Added that home clients and users not registered in the local domain are not affected by this error. Furthermore, non-hybrid Azure Active Directory environments as well as those without an on-premises Active Directory server are not affected by the vulnerability.