Domain Controller - Nov 2022 Patches

karthik palani 1,016 Reputation points
2022-11-09T11:43:49.07+00:00

Hi All

We got the below emergency patches for installation on DC, Any one already applied. Please advice if this is affecting any services or any impact

Take action: Security hardening for Netlogon and Kerberos starting with November 2022 security update

• KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
• KB5021130: How to manage Netlogon protocol changes related to CVE-2022-38023
• KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,441 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,082 questions
Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,599 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
424 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Tim G 1 Reputation point
    2022-11-14T15:04:36.497+00:00

    After KB5019964 installed on our two Server 2016 DCs, we were unable to logon using Windows authentication to our legacy SQL2000 on a Server 2003R2 server from domain Win7 or Win10 workstations, from multiple applications, including SSMS.

    SSMS error was "Logon failed for user (null)...".

    It was still possible to connect if SQL authentication was instead used.

    Removing KB5019964 restored normal connectivity using Windows authentication.

    0 comments No comments

  2. Dishanth Sivalingam 1 Reputation point
    2022-11-16T11:09:55.59+00:00

    Same issue described by TimG-9310. After installing KB5019964 on DCs, uninstalling KB from domain controller fixed the issue. Quite similar to May 2022 update and authentication issues.

    Member servers and workstations had no-issues with or without the update. Uninstall and exclude from patch run required for DCs.

    0 comments No comments

  3. Monks89 1 Reputation point
    2022-11-16T14:40:42.297+00:00

    The December patched coming up possibly may cause another authentication issue. Following the article below, my workaround was to add the 3 reg keys. Microsoft is increasing KDC authentication.

    Ref: https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#registry5020805

    I've added the following keys on DCs after November patches.

    reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v KrbtgtFullPacSignature /t REG_DWORD /d 0 /f

    reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v RequireSeal /t REG_DWORD /d 0 /f

    reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v ApplyDefaultDomainPolicy /t REG_DWORD /d 0 /f

    Another ref: https://borncity.com/win/2022/11/10/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues/

    0 comments No comments