This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 66%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
After updating or installing a fresh Windows 11 22H2, the computer can't contact the active directory.
GPO seems to be not applied and it's impossible to reach any ressources on the network.
It seems that the user can't get a TGT from the domain controller.
When I do a klist it's empty.
With wireshark, I see at each attempt an "AS-REQ" but no "AS-REP".
> nltest /dclist:mydomain.local
Get list of DCs in domain 'mydomain.local' from '\\dc01.mydomain.local'.
Cannot DsBind to mydc.laz (\\dc01.mydomain.local).Status = 2148074320 0x80090350 SEC_E_DOWNGRADE_DETECTED.
> nltest /sc_query:mydomain.local
Flags: 30 HAS_IP HAS_TIMESERV Authentication Service: Netlogon
Trusted DC Name \\dc02.mydomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
When I try to reach an SMB share i have this message :
The sytem cannot contact a domain controller to service the authentication request. Please try again later
All the DCs are in Windows 2016.
I'm not sure where to look to fix this. I've looked everywhere but no answer.
Can you help me please?
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 24%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Same issue here with Windows 11 22H2. One symptom of this problem is "The system cannot contact a domain controller to service the authentication request. Please try again later." when trying to access network resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 98%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Chiming in to say we began seeing this as well. Bricked a few machines. Only recourse thus far has been to reimage.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 98%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBV%3C/text%3E%3C/svg%3E)
Also have this issue. First manifested as something like "My R: drive is disconnected..."
We can map network drives by \ipaddress\sharename but not \hostname\sharename.
nltest /dclist: gets me the same result.
When I try to gpupdate /force, I'm told no DC's can be contacted.
ONLY on W11 22h2. I have tried several Kerberos-related fixes found on Reddit, but no dice.
DC's are 2012R2 as is functional level.
Is there a reason why posts in this thread seem to be getting deleted? The posts discussing upgrading DCs to 2022 and raising the domain functional level appear to be gone now.
Perhaps that person figure out it wasn’t a consistent answer and deleted their comments…? (No clue.)
We increased our domain and forest functional level from 2008 R2 to 2012 R2, but this did not solve the Windows 11 22H2 authentication issue. We'll need to upgrade our domain controllers if we want to increase the functional level further.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 70%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
I had the same issue when testing 22H2 on Windows 11.
Some of the symptoms - Unable to access DFS Shares or file shares by DNS name, GPUpdate not working, Powershell issues with AD modules and remoting, Certificate waring when using RDP
Our DCs were all running on Windows server 2019 or 2022 but the functional level was still 2012.
Raise your domain functional level to 2016+, this worked for me.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 5%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Same. No Trusted relationship
Is anyone here using Crowdstrike Falcon Identity protection? There was a post on reddit saying this Windows 11 22H2 authentication issue is caused by falcon identity.
Release Notes | Falcon sensor for Windows 6.46.16012/6.47.16104 Hotfix
Fixed an issue with Falcon Identity Protection that blocked Kerberos authentications performed by hosts running Windows 11 version 22H2. This applies to all prior supported sensor versions.
We actually do use Falcon Identity Protection !
Thank you for this, I'll check that !!
WOW. I'mma go looking at that as I am a customer of CSFalcon (like every module they offer). Headed to look now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 84%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
We use falcon, but I removed it from my computer a few days ago thinking that was the issue also, but it didn't do anything.
It's the Identity Product that is installed on the Domain Controller that seems to be the problem.
Removing it from the computer won't help if it's falcon identity protection causing the issue. The falcon identity sensor is installed on the domain controller and the blocking would be occurring there, not on the pc itself.
Yup. We're totally Crowdstrike endpoints. Thank you so much for sharing this.
new update. i updated the sensors on my PC and on the DC and no dice. I haven't rebooted the DC yet. don't know if I have to do that.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 28.000000000000004%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Updating the Falcon sensors on our DC's worked for us. We did not have to reboot them. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 88%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
I removed just the Falcon Identity Sensor from both of my Domain Controllers and now all the Windows 11 22H2 clients are working. They are authenticating and getting Group Policy as normal. I'm not sure if there is a new fix coming from CrowdStrike. The hotfix version of the client didn't take care of the issue. Only removing the Identity Sensor did the trick.
Crowdstrike told me only the unified DC sensor has been updated. If your account is still uses the DC sensor separate from the falcon EDR sensor we're still waiting for an update to the standalone identity DC sensor. It might be possible to ask crowdstrike to update your account to use the new unified sensor but it requires a change on their side.
Putting Identity Protection into "passthrough" mode also worked for us to solve these issues.
I have a ticket with CrowdStrike and they have yet to confirm this issue stems from this module.
The fixed version of the falcon identity DC standalone sensor has been released. Version 6.48.21772. Has anyone installed it yet and can confirm the fix?
Nicelly seen !! I just installed it and it worked !
I did a Test-ComputerSecureChannel -Repair just in case ! (not sure if i had to do it or not, but after 1 restart it still didn't worked, I had the TGT listed but impossible to reach any sysvol share)
Thank you for keeping me updated of the fix !
We are running 2016 Functional Level with 2019 DC Servers. I can confirm that Identity Protection DC Sensor - Sensor Version6.48.21772 install has resolved our drive mapping issues.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 40%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
I think it has nothing to do with antivirus or firewall. I am facing exactly the same problem here and it is certainly a problem with Windows updates. At first it was possible to deleted lastet updates in 22h2 and 23h2 versions, just delete the updates in the options and restart the computer to have it working again with samba4 domain. However something really weird is happening now. When I delete the updates and set windows updates as off, when I restart the computer it updates anyway and I can never remove them. I tried remove with powershell since there is a possibility to do so but nothing seems to work anymore. Windows 11 just keep resulting in "trust relationship between this workstation and the domain fails".
I think I have tried everything that was possible. Update samba version, enable and disable Kerberos DES options in Local policies. The only way to login to the domain is using a different Windows version like 7 or 10 which works perfectly. Problem is that all licences here is for Windows 11.
Hope Microsoft fixes it soon.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 92%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
I can not run a klist purge on any computer that upgraded from win10 to 11, but any computer I built as win 11 works. Any ideas?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 46%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
For one of our customers the scenario was:
Windows 11 client with a fresh Install
WIndows Server 2016 as a Domain controller
The client did join the domain but could not update gpo's because coult not access the share under \domain.local\SYSVOL
a "gpupdate /force" from client resulted in a "could not read policy object 'XXXX-YYYY-ecc' "
surfing the network path at \domain.local\SYSVOL resulted in a "denied access" with credential request
Apparently, the solution was to check under the Server side if smb v1 support was still active and then disabling it
first step was to remove the smb1 feature from "Server Manager":
second step check with powershell the status of smb v1 protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false
issuing again the get command shoul result in a False state
Typing againg the "gpupdate /force" on the client side resulted in a positive output with no errors and the SYSVOL was now available to the client operating system.
No action was needed on the client
hope this helps
Cheers