Can't log on after changing machine account password in mixed Windows Server 2012 R2 or Windows Server 2016 and Windows Server 2003 environment

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials

Symptoms

Consider the following scenario:

  • You have domain controllers that are running Windows Server 2003-base in a domain and add a Windows Server 2012 R2 or Windows Server 2016 domain controller to this domain.
  • You have a domain-joined computer that authenticates against a Windows Server 2003-based domain controller first, and then the computer authenticates against a Windows Server 2012 R2-based domain controller.
  • You log on the computer and change the machine account password two times.
  • You log on the computer again.

In this scenario, you receive the following error message:

unknown username or bad password

Cause

The Kerberos client depends on a salt from the Key Distribution Center (KDC) in order to create the Advanced Encryption Standard (AES) keys on the client-side. These AES keys are used to hash the password that the user enters on the client, and protect the password in transit over the wire so that the password cannot be intercepted and decrypted. The salt refers to information that is fed into the algorithm that is used to generate the keys so that the KDC can verify the password hash and issue tickets to the user. When a Windows 2012 R2 domain controller is added in an environment where Windows Server 2003 domain controllers are present, there is a mismatch in the encryption types that are supported on the KDCs and used for salting. Windows Server domain controllers do not support AES and Windows Server 2012 R2 domain controllers do not support Data Encryption Standard (DES) for salting.

How to obtain this update or hotfix

To resolve this issue, we have released a hotfix and an update rollup for Windows Server 2012 R2 in which Active Directory is installed.

Before you install this hotfix, check the prerequisite of the hotfix.

The update rollup fixes many other issues in addition to the issue that the hotfix fixes. We recommend that you use the update rollup. The update rollup is larger than the hotfix. Therefore, the update rollup takes longer to download.
 

Note After the update is installed, we recommend you restart all client computers that support Advanced Encryption Standard (AES) encryption. This is to recover the clients if they had previously restarted against a Windows Server 2012 R2 domain controller that does not have the update installed.

Update for Windows Server 2012 R2

The following update rollup is available:

Get update rollup 2984006

Hotfix for Windows Server 2016

The following update rollup is available:

February 25, 2020—KB4537806 (OS Build 14393.3542)

Hotfix detail information

Prerequisites

To apply this hotfix, you must first install update 2919355 on Windows Server 2012 R2. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

2919355 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 Update April, 2014

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.