Microsoft releases emergency update to address Kerberos authentication bugs

The problem was caused by cumulative updates made available during November Patch Tuesday

Microsoft has released out-of-band (OOB) updates to fix a known issues relating to Kerberos sign-in failures and other authentication problems on enterprise Windows domain controllers.

In an update on its Windows health dashboard, Microsoft advises Windows administrators to apply the OOB emergency upgrades to all Domain Controllers (DCs) in impacted environments.

The problem was caused as a result of applying cumulative updates that were made available during November's Patch Tuesday.

It resulted in Kerberos authentication failures for a variety of tasks, including domain user sign-in, domain user connection failures for Remote Desktop, and printing that would need domain user authentication.

On all Windows versions above Windows 2000, the Kerberos protocol has replaced the NTLM protocol as the default authentication mechanism for domain-connected devices.

Microsoft confirmed the problem this week and said that any Kerberos authentication scenarios within impacted enterprise environment might be impacted by the known flaw.

"When this issue is encountered you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller with the below text," the company said.

Devices used by home customers and those not registered in an on-premises domain are unaffected by the problem. Additionally, it doesn't impact non-hybrid Azure Active Directory environments or those without on-premises Active Directory servers.

The problem has now been resolved thanks to the OOB updates released by Microsoft.

In its advisory, Microsoft cautions that they don't need to install any update or modify any other servers or client devices in their environment in order to fix this problem.

Users are urged to delete any workarounds or mitigations they may have previously applied since they are no longer required.

Moreover, users must understand that the OOB updates are only accessible via the Microsoft Update Catalogue, won't be provided via Windows Update and won't install automatically.

To download and install the updates, users must manually look for specific KB numbers in the Microsoft Update Catalogue.

The following are the KB numbers for each server SKU:

Cumulative updates

• Windows Server 2022: KB5021656
• ​Windows Server 2019: KB5021655
• ​Windows Server 2016: KB5021654

Standalone Updates

• Windows Server 2012 R2: KB5021653
• Windows Server 2012: KB5021652
• Windows Server 2008 SP2: KB5021657

Windows Server 2008 R2 SP1 is the only impacted platform that has not yet received a fix. According to Microsoft, a dedicated update would be released the next week.

"If you are using security only updates for these versions of Windows Server, you only need to install these standalone updates for the month of November 2022," Microsoft added.

"If you are using Monthly rollup updates, you will need to install both the standalone updates listed above to resolve this issue, and install the Monthly rollups released November 8, 2022 to receive the quality updates for November 2022."

"If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above.