To experience Kerberos sign-in failures and other authentication problems after installing cumulative updates released during this month’s Patch Tuesday, Microsoft is investigating a new known issue causing enterprise domain controllers.
According to Bleeping Computer, “Kerberos has replaced the NTLM protocol as the default authentication protocol for domain-connected devices on all Windows versions above Windows 2000.
BleepingComputer readers also reported three days ago that the November updates break Kerberos “in situations where you have set the ‘This account supports Kerberos AES 256 bit encryption’ or ‘This account supports Kerberos AES 128 bit encryption’ Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD.””
“The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.
To help secure your environment, install this Windows update to all devices, including Windows domain controllers. All domain controllers in your domain must be updated first before switching the update to Enforced mode.
- To learn more about this vulnerabilities, see CVE-2022-37967.
- Take Action
- To help protect your environment and prevent outages, we recommend that you do the following steps:
- UPDATE your Windows domain controllers with a Windows update released on or after November 8, 2022.
- MOVE your Windows domain controllers to Audit mode by using the Registry Key setting section.
- MONITOR events filed during Audit mode to secure your environment.
- ENABLE Enforcement mode to address CVE-2022-37967 in your environment.
Note Step 1 of installing updates released on or after November 8, 2022 will NOT address the security issues in CVE-2022-37967 for Windows devices by default. To fully mitigate the security issue for all devices, you must move to Audit mode (described in Step 2) followed by Enforced mode (described in Step 4) as soon as possible on all Windows domain controllers.”