Kerberos issue with gMSA after Windows November 2022 updates
Introduction
This document outlines issues reported with using the Locator gMSA (Group Managed Service Account) using Kerberos authentication after the November 2022 updates have been applied to servers running with the Domain Controller role.
The update in question has the following name: 2022-11 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB5019966).
November 2022 details found here: https://support.microsoft.com/en-gb/topic/november-8-2022-kb5019966-os-build-17763-3650-b09dad62-5cd7-47cd-992f-b7d01f2956c1
Symptoms in Ayfie Locator
Login and authentication using Active Directory fails when trying to use the Locator UI. Examining the error.log and you will see similar log entries:
08:38:19.567+00:00 [ERR] [23] [Via.Platform.Data.Authentication.SearchUser] System.Security.SecurityException: The encryption type requested is not supported by the KDC.
at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn, SafeAccessTokenHandle& safeTokenHandle)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)
at Via.Search.Rest.Services.SearchUserRepository.GetUserDomainName(ClaimsPrincipal claimsPrincipal)
at Via.Search.Rest.Services.SearchUserRepository.GetUser(IPrincipal principal)
at Via.Search.Rest.BusLogic.SearchUserExtension.ToSearchUser(IPrincipal principal)
The Zone of the assembly that failed was:
MyComputerResolution
The details about the issue is found here https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#sign-in-failures-and-other-issues-related-to-kerberos-authentication . This issue was resolved in out-of-band updates released November 17, 2022 and November 18, 2022. The resolution is installing the out-of-band update.