Microsoft November Updates and breaking TrueSSO

First of all happy new year everyone!

On 31 december 2022 New Years Eve I got a message from a colleague of mine while eating "oliebollen" with the family at friends of ours.

One customer is having issues with external login's to their VMware Horizon environment.

They get stuck on the Imprivata login screen. Alltough the user can login by re-entering their credentials it is annoying. The fact Imprivata selected the default domain to be the local machine and the user has to switch this to their Active Directory domain does not help either.

I pointed out this issue does not look like Imprivata tough but rather TrueSSO is not working and pointed out to take a look at the Enrollment servers and the CA console (since they also are the designtated SUB CA's for the TrueSSO Certificate's)

Received the following screenshot that confirms the issue is indeed with TrueSSO,

a lot of failed requests with the error:

The encryption type requested is not supported by the KDC. 0x80090342 (2146892990 SEC_E_KDC_UNKNOWN_ETYPE)

This error usually points to Kerberos issues to the Domain Controllers.

It does looks like a simular issue we had at another customer, Henry Heres recently blogged about this: Notes from the field: The Kerberos chronicles, the one with VMware TrueSSO – The IT Stories (technicalfellow.com)

Since there is no root domain in play here and we did not change anything due the holidays we concluded this could be the Microsoft November updates

and... yes the november updates where installed recently on the customers Domain controllers

Alltough there are workarounds available, luckily Microsoft released on november 17th Out-Of-Band security updates to fix the issue:

November 17, 2022—KB5021654 (OS Build 14393.5502) Out-of-band - Microsoft Support

here it is stated:

The OOB update fixes a known issue that might affect Windows servers with the Domain Controller (DC) role. They might have Kerberos authentication issues if both of the following are true:

• Installed November 8, 2022, or later update on the DC

• Configured the SupportedEncrytionType key to remove the RC4 cipher at a domain level or on individual accounts

Well the updates where installed and yes we apply CIS policy's to harden all the systems and it does disable the RC4 Cipher. Seems a hit!

After the OOB updates where installed on the Domain Controllers the train got rolling again!

I hope this little blog could help anyone facing this issue!

Some additional links:

Fix for KDC Kerberos issues after patching for CVE-2022–37966 | by Frank Breedijk | Nov, 2022 | Schuberg Philis

Bug Fix OOB Update For Domain Controllers To Fix Sign In And Kerberos Authentication Issue HTMD Blog (anoopcnair.com)