Microsoft issues emergency fixes for wide-reaching Kerberos issues

Microsoft has released emergency out-of-band (OOB) updates to fix Kerberos authentication issues that were affecting a large proportion of enterprise users.

The tech giant released the updates on 17 and 18 November for all domain controllers (DCs) in affected environments. Microsoft aimed to fix an issue which could cause sign-in failures in Kerberos, Microsoft's longstanding default authentication protocol.

System administrators' complaints began last week when many reported various processes breaking within their organisation. Faults in Kerberos can lead to issues relating to user sign-ins, Internet Information Services (IIS Web Server), remote desktop connections, and accessing shared folders, among others.

“You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue,” said Microsoft. “If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them.”

Users can access the updates by searching for the Microsoft knowledge base (KB) number in the Microsoft Update Catalog. Alternatively, the updates can be imported manually into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager for those organisations that use the tools to manage their IT estate.

There are cumulative updates available:

• Windows Server 2022: KB5021656
• Windows Server 2019: KB5021655
• Windows Server 2016: KB5021654

Users don’t need to apply any previous updates before installing these ones. Microsoft said that users don’t have to uninstall the affected updates before installing any later updates either.

There are also standalone updates available:

• Windows Server 2012 R2: KB5021653
• Windows Server 2012: KB5021652
• Windows Server 2008 R2 SP1: KB5021651 (released November 18, 2022)
• Windows Server 2008 SP2: KB5021657

Users that are deploying security-only updates for these Windows Server versions only have to install the standalone updates for November 2022. They will also need to install previous security updates to be fully up-to-date since these aren’t cumulative.

What were the issues affecting Kerberos?

Microsoft was forced to introduce an emergency update to fix a number of updates it implemented on 8 November.

The tech giant said that users could encounter a number of issues with Kerberos authentication. This could affect domain user sign-in, group managed service accounts (gMSA), and remote desktop connections.

Additionally, users might have been unable to access shared folders on workstations and file shares on servers, as well as printing that needed domain user authentication.

When encountering the issue, Microsoft said that admins might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the event log system section on a DC, displaying the text: 'While processing an AS request for target service {service}, the account {account name} did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of {account name} will generate a proper key'.

The tech giant said that the issue isn’t part of a security hardening for Netlogon and Kerberos which began with the November security update. Devices used at home by consumers, or those that aren’t linked to an on-premise domain, won’t be affected by the problem.