Forum Discussion
osozu
Oct 21, 2022Brass Contributor
Problem with kb KB5018411 on domain controllers
After we install KB5018411 on WS 2016 domain controllers, we cannot authenticade rdp connections using dns name in mstsc against servers and client, in network capture we see Kerberos errors
1039 9.056341 10.4.1.6 10.4.1.72 KRB5 268 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
then
1031 9.054642 10.4.1.6 10.4.1.72 KRB5 155 KRB Error: KRB5KDC_ERR_TGT_REVOKED
and that is occur everytime we can acces rdp with dns name
connection with ip address in mstsc client works
edit
here is the same problem on reddit
KB5018411 installed friday, can't RDP to terminal server (on prem)? : sysadmin (reddit.com)
- dz890Copper ContributorTry this out of band update and see if it fixes the issue.
https://support.microsoft.com/en-us/topic/october-18-2022-kb5020439-os-build-14393-5429-out-of-band-f9840376-4f36-45c3-8dd8-f366c4b884dd- osozuBrass ContributorHi we try but it doesn't help either
- dz890Copper ContributorAfter some more searching this looks to be an issue with the encryption ciphers.
What clients are trying to RDP to Server 2016? Windows 10 or Windows 11?
Use this tool to check your enabled encryption on the Server. https://www.nartac.com/Products/IISCrypto/
Check the cipher suite order as well. If you make a change you do need to restart the computer.
This post is different from your issue, but they found TLS/cipher order to be the issue
https://support.oneidentity.com/safeguard-authentication-services/kb/4274683/-krb5kdc_err_preauth_required-causing-join-to-fail
https://community.spiceworks.com/topic/2293152-need-help-with-kerberos-authentication-troubleshooting