Nov 2022 Update Impacted Windows Failover Cluster

Copper Contributor

We have installed the Nov 8 update on 2 of our 3 domain controllers, and one of our WFOC providing our File Servers. It was identified that the cluster that was updated was offline. Even after adding the reg key and value for "disable mode" on our patched domain controllers, the problem persisted.

After following the trail through the logs on our DCs all our file cluster AD objects were failing kerberos communication with the DCs. Even though we have nothing "set" in our domain to limit or explicitly set any kerberos encryption types, those AD objects were set to only use AES 128 and AES 256. Which is fine and desired of course. But they were all attempting to communicate on RC4.

Once we used GPO to set those AD objects to also be able to use RC4 encryption, everything started to work as it should. The implication being that the Windows Failover Cluster is using RC4. This is true for both the unpatched and patched clusters.

My question for this community is why, and how do I get it to use AES128/256?

Domain Controllers:
-Windows Server 2019 Datacenter - domain and forest levels are set to 2016


File Clusters:
Windows Server 2019 Datacenter with 2 nodes

-Failover Cluster

-DFS Namespace and Replication

-WCF Services

-File and Storage Services

-File Server Resource Manager

2 Replies
Update all service accounts in AD to reflect AES 256 and 128, RC4. Reset the password for the krbtgt account and any other service accounts - then update their passwords with the same values, then set the krbtgt account again to the same value 12 hours later. Update the msds-supportedencryptiontypes to 28 in AD for all object associated to the cluster.
Thank you, I have done all these steps, and put all my cluster AD objects into a GPO explicitly setting those encryption types. I was really wondering why a brand new Server 2019 cluster would even be trying to to use DES.