On-premises Identity-related updates and fixes for November 2022

Reading Time: 5 minutes

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for November 2022:

 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5019964 November 8, 2022

The November 8, 2022, update for Windows Server 2016 (KB5019964) updating the OS build number to 14393.5501, is a monthly cumulative update that includes the following Identity-related improvements:

  • It provides Kerberos protocol changes to address CVE-2022-37966, a Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
  • It provides Kerberos protocol changes to address CVE-2022-37967, a Windows Kerberos Elevation of Privilege Vulnerability
  • It provides Netlogon protocol changes to address CVE-2022-38023, a Netlogon RPC Elevation of Privilege Vulnerability
  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. Microsoft will automatically raise the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It addresses an issue that affects the Microsoft Azure Active Directory Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is:

The handle specified is invalid (0x80090301)

  • It addresses an issue that affects the Forest Trust creation process. It fails to add the Domain Name System (DNS) name suffixes to the trust information attributes. This occurs after you install the January 11, 2022, or later updates.
  • It addresses an issue that affects Domain Controllers. The Domain Controller writes an event with Event ID 21 and source Key Distribution Center (KDC) in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request using a self-signed certificate for key trust scenarios. This includes Windows Hello for Business and Device Authentication.
  • It addresses an issue that affects the Microsoft Visual C++ Redistributable Runtime. It does not load into the Local Security Authority Server Service (LSASS) when you enable Protected Process Light (PPL).

Note:
After installing this or later updates on Domain Controllers, you might experience a memory leak with Local Security Authority Subsystem Service (LSASS.exe). Depending on the workload of the Domain Controllers and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of the server. The server might become unresponsive or automatically restart.

 

KB502165 November 17, 2022 Out of Band

The November 17, 2022, update for Windows Server 2016 (KB5021654) updating the OS build number to 14393.5502, is an out-of-band update that addresses a known issue that affects Windows Servers that have the Domain Controller role. They might have Kerberos authentication issues.

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5019966 November 8, 2022

The November 8, 2022, update for Windows Server 2019 (KB5019966) updating the OS build number to 17763.3650, is a monthly cumulative update that includes the following Identity-related improvements:

  • It provides Kerberos protocol changes to address CVE-2022-37966, a Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
  • It provides Kerberos protocol changes to address CVE-2022-37967, a Windows Kerberos Elevation of Privilege Vulnerability
  • It provides Netlogon protocol changes to address CVE-2022-38023, a Netlogon RPC Elevation of Privilege Vulnerability
  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. Microsoft will automatically raise the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It addresses a DCOM issue that affects the Remote Procedure Call Service (rpcss.exe). It raises the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY instead of RPC_C_AUTHN_LEVEL_CONNECT if RPC_C_AUTHN_LEVEL_NONE is specified.
  • It address an issue that affects the Microsoft Azure Active Directory Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is:

The handle specified is invalid (0x80090301)

  • It addresses an issue that affects focus order. This issue occurs when you tab from the password field on a credentials page.
  • It addresses an issue that affects the Forest Trust creation process. It fails to add the Domain Name System (DNS) name suffixes to the trust information attributes. This occurs after you install the January 11, 2022, or later updates.

Note:
After installing this or later updates on Domain Controllers, you might experience a memory leak with Local Security Authority Subsystem Service (LSASS.exe). Depending on the workload of the Domain Controllers and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of the server. The server might become unresponsive or automatically restart.

 

KB5021655 November 17, 2022 Out of Band

The November 17, 2022, update for Windows Server 2019 (KB5021655) updating the OS build number to 17763.3653, is an out-of-band update that addresses a known issue that affects Windows Servers that have the Domain Controller role. They might have Kerberos authentication issues.

 

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5019081 November 8, 2022

The October 11, 2022, update for Windows Server 2022 (KB5019081) updating the OS build number to 20348.1249, is a monthly cumulative update that includes the following Identity-related improvements:

  • It provides Kerberos protocol changes to address CVE-2022-37966, a Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
  • It provides Kerberos protocol changes to address CVE-2022-37967, a Windows Kerberos Elevation of Privilege Vulnerability
  • It provides Netlogon protocol changes to address CVE-2022-38023, a Netlogon RPC Elevation of Privilege Vulnerability
  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. It automatically raises the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It addresses a DCOM issue that affects the Remote Procedure Call Service (rpcss.exe). It raises the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY instead of RPC_C_AUTHN_LEVEL_CONNECT if RPC_C_AUTHN_LEVEL_NONE is specified.
  • It addresses an issue that affects the Microsoft Azure Active Directory (AAD) Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is:

The handle specified is invalid (0x80090301)

  • It improves Active Directory replication performance in large environments.
  • It addresses an issue that affects the Forest Trust creation process. It fails to place the domain name system (DNS) name suffixes in the trust attributes. This issue occurs on devices that install January 11, 2022, or later updates.
  • It addresses an issue that affects certificate mapping. When it fails, lsass.exe might stop working in schannel.dll.

Note:
After installing this or later updates on Domain Controllers, you might experience a memory leak with Local Security Authority Subsystem Service (LSASS.exe). Depending on the workload of the Domain Controllers and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of the server. The server might become unresponsive or automatically restart.

 

KB5021656 November 17, 2022 Out of Band

The November 17, 2022, update for Windows Server 2022 (KB5021656) updating the OS build number to 20348.1251, is an out-of-band update that addresses a known issue that affects Windows Servers that have the Domain Controller role. They might have Kerberos authentication issues.

 

KB5020032 November 22, 2022 Preview

The November 22, 2022, update for Windows Server 2022 (KB5020032) updating the OS build number to 20238.1311 is a preview update that includes one following identity-related improvements: It addresses an issue that affects cluster name objects (CNO) or virtual computer objects (VCO). Password reset fails. The error message is:

There was an error resetting the AD password… // 0x80070005

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.