Summary. CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Key Distribution Center (KDC) is servicing a certificate-based authentication request.

Key Distribution Center (KDC) The Kerberos service that implements the authentication and ticket granting services specified in the Kerberos protocol. The service runs on computers selected by the administrator of the realm or domain; it is not present on every machine on the network.

Summary. This update addresses the following issue: Addresses a known issue that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self).

When all Domain Controllers have RFC-compliant KDC certificates, Windows can protect itself by Enabling Strict KDC Validation in Windows Kerberos. Note By default, newer Kerberos public key features will be required. Make sure that revoked certificates fail the respective scenario. AD CS is used for various scenarios in an organization.

Glossary. Summary. The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. More information can be found in CVE-2022-38023 .

Symptoms. Printing and scanning might fail when these devices use smart card (PIV) authentication. Note Devices that are affected when using smart card (PIV) authentication should work as expected when using username and password authentication. Cause.

Release Date: 11/8/2022. Version: Monthly Rollup. Summary. Learn more about this cumulative security update, including improvements, any known issues, and how to get the update. REMINDER Windows 8.1 will reach end of support on January 10, 2023, at which point technical assistance and software updates will no longer be provided.

Microsoft Key Distribution Service (KDS) start failure: System error 1064 has occurred. An Exception occurred in the service when handling the control request. KDS root key generation failure: The process cannot access the file because it is being used by another process. ( Exception from HRESULT: 0x80070020 ) Cause.

NEW 3/22/24. IMPORTANT If you plan to install this update on a domain controller (DC), we highly recommend that you install KB5037422 instead (March 22, 2024). This out-of-band update addresses a known issue that affects the Local Security Authority Subsystem Service (LSASS). It might leak memory on DCs.

This behavior causes the Key Distribution Center (KDC) to incorrectly build a new service name. Therefore, an incorrect service name is used, and the KPasswd service fails. Note The expected behavior is that the Key Distribution Center (KDC) directly copies the correct service name from the Kerberos ticket-granting tickets (TGTs). Resolution.