Hello, Chris Cartwright here from Directory Services support team. Taking a breather from the phone calls. In the past few weeks, there has been a large number of questions, rumors, and suggestions thrown around about the November 2022 security updates.
Microsoft Support recommends that you read these articles to gain the most understanding of topics discussed in this and related blogs:
- Techcommunity: Decrypting the Selection of Supported Kerberos Encryption Types provides an understanding of etypes
- TechCommunity: November 2022 Out of Band update released! Take action!
- Microsoft KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966
- Windows Release Health Message Center: Take action: OOB update to address an issue with sign in and Kerberos authentication
There are two issues that we are currently seeing after installing the November 2022 security update or the Out of Band (OOB) version of this update. Please review the associated blog posts below to determine if you need to take action on one, or perhaps both scenarios.
- Memory leaks within LSASS.exe on domain controllers.
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/so-you-say-your-dc-s-memory-is-getting-all-used-up-after/ba-p/3696318 - Kerberos authentication failures caused by non-intersecting encryption types (KDC_ERR_ETYPE_NOSUPP error).
A behavior change was made that exposes a failure in environments where encryption types do not intersect in environments controlling Kerberos Encryption Types, and/or environments where FAST, Windows Claims, Compound identity, or SID compression are configured.
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351