November 22, 2022

Microsoft’s security team discovered another issue with Kerberos authentication on Windows Servers with the Domain Controller role after installing updates released on the most recent Patch Tuesday on November 8. The Domain Controller affected was charged with managing network and identity security requests, which disrupted Kerberos authentication capabilities.

Microsoft made some security hardening changes in the previous patch that fixed two vulnerabilities tracked as CVE-2022-37967 and CVE-2022-37966, but it also broke some key authentication scenarios at the same time, resulting in failed logins and failed RDP connections which led to a bug.

The bug victims received a “Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event” notice in the System section of the Event Log on their Domain Controller, with the following text: “While processing an AS request for target service account>, the account account> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1).”

The Microsoft security team stated in a blog post that the issue could affect any Microsoft-based Kerberos authentication in an enterprise environment in scenarios such as domain user sign-in failure. It also has an impact when Group Managed Service Accounts (gMSA) used for services like Internet Information Services (IIS Web Server) fail to authenticate. Also, when Remote Desktop connections using domain users fail to connect, as well as when printing with domain user authentication fails.

To that end, Microsoft strongly advises users to install the most recent cumulative updates for Windows Server 2019, (KB5021655), Windows Server 2016, (KB5021654), Windows Server 2012 R2, (KB5021653), Windows Server 2012, (KB5021652), and Windows Server 2008 SP2 (KB5021657) on Windows Domain Controllers as soon as possible.

The sources for this piece include an article in TheRegister.