Kerberos, a Windows authentication protocol that authenticates online service requests, has recently been found to have some issues.
According to SC Media, the following scenarios are possible:
- The domain user sign-in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
- Remote Desktop connections using domain users might fail to connect.
- Security teams might be unable to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication might fail.
It appears that these issues might be limited to only certain parties – but that does not mean the affected parties are not suffering.
What can be done? The options are not great. Delay patching and wait until Microsoft releases a fix. If you have already applied the Nov 8th patch, and you are not impacted, there is no action that you need to take - you are one of the lucky ones.
If you have applied this patch and are experiencing issues with authentication, the only known work around is to rebuild your service accounts. Windows could take days or weeks to provide a hot fix, though they have already spoken publicly about remedying their errors. If you have not applied the patch, do not.
It is important to note that this patch is intended to be a part of a series of rollouts from Microsoft to address a security issue within Kerberos. The detail of the security issue can be found in an article from Microsoft here.
The rollout schedule for the remainder of the patches that addresses this security concern can be found in this KB from Microsoft.
The Microsoft patch was released November 8 and these issues arose shortly after. If your company is unfortunately affected, reach out to Solvaria to be quickly matched with an expert.