This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 66%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
After updating or installing a fresh Windows 11 22H2, the computer can't contact the active directory.
GPO seems to be not applied and it's impossible to reach any ressources on the network.
It seems that the user can't get a TGT from the domain controller.
When I do a klist it's empty.
With wireshark, I see at each attempt an "AS-REQ" but no "AS-REP".
> nltest /dclist:mydomain.local
Get list of DCs in domain 'mydomain.local' from '\\dc01.mydomain.local'.
Cannot DsBind to mydc.laz (\\dc01.mydomain.local).Status = 2148074320 0x80090350 SEC_E_DOWNGRADE_DETECTED.
> nltest /sc_query:mydomain.local
Flags: 30 HAS_IP HAS_TIMESERV Authentication Service: Netlogon
Trusted DC Name \\dc02.mydomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
When I try to reach an SMB share i have this message :
The sytem cannot contact a domain controller to service the authentication request. Please try again later
All the DCs are in Windows 2016.
I'm not sure where to look to fix this. I've looked everywhere but no answer.
Can you help me please?
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 24%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Same issue here with Windows 11 22H2. One symptom of this problem is "The system cannot contact a domain controller to service the authentication request. Please try again later." when trying to access network resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 98%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Chiming in to say we began seeing this as well. Bricked a few machines. Only recourse thus far has been to reimage.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 98%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBV%3C/text%3E%3C/svg%3E)
Also have this issue. First manifested as something like "My R: drive is disconnected..."
We can map network drives by \ipaddress\sharename but not \hostname\sharename.
nltest /dclist: gets me the same result.
When I try to gpupdate /force, I'm told no DC's can be contacted.
ONLY on W11 22h2. I have tried several Kerberos-related fixes found on Reddit, but no dice.
DC's are 2012R2 as is functional level.
Is there a reason why posts in this thread seem to be getting deleted? The posts discussing upgrading DCs to 2022 and raising the domain functional level appear to be gone now.
Perhaps that person figure out it wasn’t a consistent answer and deleted their comments…? (No clue.)
We increased our domain and forest functional level from 2008 R2 to 2012 R2, but this did not solve the Windows 11 22H2 authentication issue. We'll need to upgrade our domain controllers if we want to increase the functional level further.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 70%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
I had the same issue when testing 22H2 on Windows 11.
Some of the symptoms - Unable to access DFS Shares or file shares by DNS name, GPUpdate not working, Powershell issues with AD modules and remoting, Certificate waring when using RDP
Our DCs were all running on Windows server 2019 or 2022 but the functional level was still 2012.
Raise your domain functional level to 2016+, this worked for me.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 5%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Answer accepted by question author
Is anyone here using Crowdstrike Falcon Identity protection? There was a post on reddit saying this Windows 11 22H2 authentication issue is caused by falcon identity.
Release Notes | Falcon sensor for Windows 6.46.16012/6.47.16104 Hotfix
Fixed an issue with Falcon Identity Protection that blocked Kerberos authentications performed by hosts running Windows 11 version 22H2. This applies to all prior supported sensor versions.
We actually do use Falcon Identity Protection !
Thank you for this, I'll check that !!
WOW. I'mma go looking at that as I am a customer of CSFalcon (like every module they offer). Headed to look now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 84%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
We use falcon, but I removed it from my computer a few days ago thinking that was the issue also, but it didn't do anything.
It's the Identity Product that is installed on the Domain Controller that seems to be the problem.
Removing it from the computer won't help if it's falcon identity protection causing the issue. The falcon identity sensor is installed on the domain controller and the blocking would be occurring there, not on the pc itself.
Yup. We're totally Crowdstrike endpoints. Thank you so much for sharing this.
new update. i updated the sensors on my PC and on the DC and no dice. I haven't rebooted the DC yet. don't know if I have to do that.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 28.000000000000004%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Updating the Falcon sensors on our DC's worked for us. We did not have to reboot them. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 88%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
I removed just the Falcon Identity Sensor from both of my Domain Controllers and now all the Windows 11 22H2 clients are working. They are authenticating and getting Group Policy as normal. I'm not sure if there is a new fix coming from CrowdStrike. The hotfix version of the client didn't take care of the issue. Only removing the Identity Sensor did the trick.
Crowdstrike told me only the unified DC sensor has been updated. If your account is still uses the DC sensor separate from the falcon EDR sensor we're still waiting for an update to the standalone identity DC sensor. It might be possible to ask crowdstrike to update your account to use the new unified sensor but it requires a change on their side.
Putting Identity Protection into "passthrough" mode also worked for us to solve these issues.
I have a ticket with CrowdStrike and they have yet to confirm this issue stems from this module.
The fixed version of the falcon identity DC standalone sensor has been released. Version 6.48.21772. Has anyone installed it yet and can confirm the fix?
Nicelly seen !! I just installed it and it worked !
I did a Test-ComputerSecureChannel -Repair just in case ! (not sure if i had to do it or not, but after 1 restart it still didn't worked, I had the TGT listed but impossible to reach any sysvol share)
Thank you for keeping me updated of the fix !
We are running 2016 Functional Level with 2019 DC Servers. I can confirm that Identity Protection DC Sensor - Sensor Version6.48.21772 install has resolved our drive mapping issues.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 40%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
I think it has nothing to do with antivirus or firewall. I am facing exactly the same problem here and it is certainly a problem with Windows updates. At first it was possible to deleted lastet updates in 22h2 and 23h2 versions, just delete the updates in the options and restart the computer to have it working again with samba4 domain. However something really weird is happening now. When I delete the updates and set windows updates as off, when I restart the computer it updates anyway and I can never remove them. I tried remove with powershell since there is a possibility to do so but nothing seems to work anymore. Windows 11 just keep resulting in "trust relationship between this workstation and the domain fails".
I think I have tried everything that was possible. Update samba version, enable and disable Kerberos DES options in Local policies. The only way to login to the domain is using a different Windows version like 7 or 10 which works perfectly. Problem is that all licences here is for Windows 11.
Hope Microsoft fixes it soon.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 36%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
It's possible also worth mentioning that also:
Joining the domain after Windows 11 22H2 was installed did not solve it for us. We got a new computer that was preloaded with Windows 11 22H2 and had the issue as soon as we joined the domain.
Same here. We tried joining after the update and had no success.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
I opened a ticket with MS on this. If I have anything meaningful to share, I'll post an update. I provided a link to this thread.
Thank you !
I'm looking forward for the answer of Microsoft !
Also hoping you get a good response from Microsoft support. Someone in the reddit thread spent days troubleshooting this issue with Microsoft Support and it was no help at all. Maybe if you point them to these posts they will realize it's not just you and others are having the same issue too.
Yes thank you @Ryan Pertusio (H) !!
I think we found the problem now ! Sadly i'm not with the Unified Sensor so I have to wait... But we're on the good way !
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 46%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
Did you hear back and manage to find a solution? Nothing else in this thread seems to have worked.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 93%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
Same here, I did the Windows 11 22H2 Update in a foreign network without contact to the DomainController. Now, I can't log in anymore to my notebook, when I am connected with the domain network ;-(, I have no access to any domain ressources! I can only work with my notebook, when I disconnect the network cable and do the login....
Thank you for your messages !
I hope Microsoft will understand quickly the issue and fix it !
So weird it's still not on the bug list ...