Sign in with Microsoft
New to Microsoft? Create an account.

In this article

Summary

The November 8, 2022 and later Windows updates address security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation.

This update will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already. 

To help secure your environment, install the Windows update that is dated November 8, 2022 or a later Windows update to all devices, including domain controllers.  

To learn more about these vulnerabilities, see CVE-2022-37966.

Discovering Explicitly Set Session Key Encryption Types

You may have explicitly defined encryption types on your user accounts that are vulnerable to CVE-2022-37966. Look for accounts where DES / RC4 is explicitly enabled but not AES using the following Active Directory query:

  • Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18"

Known issues

Symptom

Next step

After installing Windows updates released on or after November 8, 2022 on Windows Servers that use the Domain Controller role, you might have issues with Kerberos authentication. This issue might affect any Kerberos authentication in your environment. Some scenarios which might be affected:

When this issue is encountered you might receive a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 4 error event in the System section of the event log on your Domain Controller with the below text.

Note Affected events will contain "the missing key has an ID of 1" string:

While processing an AS request for target service <service>, the account <account name> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of <account name> will generate a proper key.

Note This issue is not an expected part of the security hardening for Netlogon and Kerberos starting with November 2022 security update. You will still have to follow the guidance in these articles even after this issue is resolved.

Windows devices used at home by consumers or devices which are not part of an on-premises domain are not affected by this issue. Azure Active Directory environments that are not hybrid and have no on-premises Active Directory servers are not affected.

This issue was resolved in out-of-band updates released November 17, 2022 for installation on all the Domain Controllers (DCs) in your environment. You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue. If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them.

To get the standalone package for these out-of-band updates, search for the KB number in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog.

Note The below updates are not available from Windows Update and will not install automatically.

Cumulative updates:

Note You do not need to apply any previous update before installing these cumulative updates. If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above.

Standalone Updates:

Note If you are using security only updates for these versions of Windows Server, you only need to install these standalone updates for the month of November 2022. Security only updates are not cumulative, and you will also need to install all previous Security only updates to be fully up to date. Monthly rollup updates are cumulative and include security and all quality updates. If you are using Monthly rollup updates, you will need to install both the standalone updates listed above to resolve this issue, and install the Monthly rollups released November 8, 2022 to receive the quality updates for November 2022. If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above.

Registry Key settings

After the Windows updates that are dated on or after November 8, 2022 are installed, the following registry keys are available for the Kerberos protocol:

Configurable value to state what the default Supported Encryption Type for an Active Directory user or computer if their ms-DS-SupportedEncryptionType attributes is not set.

Registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC

Value

DefaultDomainSupportedEncTypes

Data type

REG_DWORD

Default value

0x27

Restart required?

No

Note If this Registry Key is not set already, this update will assume that the value is set to 0x27.  

To find supported encryption types you can manually set, please refer to Supported Encryption Types Bit Flags

Windows events related to CVE-2022-37966

The Kerberos Key Distrbution Center lacks strong keys for account

Event Log

System

Event Type

Error

Event Source

Kdcsvc

Event ID

42

Event Text

The Kerberos Key Distribution Center lacks strong keys for account: accountname. You must update the password of this account to prevent use of insecure cryptography. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

If you find this error, you likely need to reset your krbtgt password. For more information about how to do this, see the New-KrbtgtKeys.ps1 topic on the GitHub website.

Frequently Asked Questions (FAQ)

Accounts that are flagged for explicit RC4 usage may be vulnerable. In addition, environments that do not have AES session keys within krbgt may be vulnerable. To mitigate, please follow the guidance on how to identify vulnerabilities and use the Registry Key setting section to update explicitly set encryption defaults.

Glossary

Advanced Encryption Standard (AES) is a block cipher that supersedes the Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is used in symmetric-key cryptography, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is also known as the Rijndael symmetric encryption algorithm [FIPS197].

Kerberos is a computer network authentication protocol which works based on “tickets” to allow for nodes communicating over a network to prove their identity to one another in a secure manner.

The Kerberos service that implements the authentication and ticket granting services specified in the Kerberos protocol. The service runs on computers selected by the administrator of the realm or domain; it is not present on every machine on the network. It must have access to an account database for the realm that it serves. KDCs are integrated into the domain controller role. It is a network service that supplies tickets to clients for use in authenticating to services.

RC4-HMAC (RC4) is a variable key-length symmetric encryption algorithm. For more information, see [SCHNEIER] section 17.1.

A relatively short-lived symmetric key (a cryptographic key negotiated by the client and the server based on a shared secret). A session keys lifespan is bounded by the session to which it is associated. A session key has to be strong enough to withstand cryptanalysis for the lifespan of the session.

A special type of ticket that can be used to obtain other tickets. The Ticket-granting Ticket (TGT) is obtained after the initial authentication in the Authentication Service (AS) exchange; thereafter, users do not need to present their credentials, but can use the TGT to obtain subsequent tickets.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×