What's the deal with Kerb3961?
Howdy, everyone! I wanted to write this blog post to discuss the new Kerb3961 library introduced in Windows Server 2025 / Windows 11 24H2. It is (hopefully) making encryption type (etype) usage within Kerberos much easier to anticipate and understand. Let's start with... What is Kerb3961? Kerb3961, named after RFC3961, is a refactor of the Kerberos cryptography engine in its own library. This library is now the authoritative source of: Etype selection Etype usage Etype management For the average IT administrator, the part that is going to be most interesting is #1. The Kerb3961 policy engine is what will authoritatively determine what etypes are available given different Kerberos key usage scenarios. Whereas in previous Windows releases, there were instances of hard coded etype usage due to technical limitations at the time of implementation. Kerb3961 still leverages existing Kerberos etype configuration group policy: Network security Configure encryption types allowed for Kerberos - Windows 10 | Microsoft Learn. However, it no longer honors the legacy registry key path of: HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Kerberos\Parameters REG_DWORD SupportedEncryptionTypes As a reminder, the group policy mentioned above is used to configure the supported encryption types for a machine account. The machine then propagates this information into Active Directory (AD) where it is stored in the msds-SupportedEncryptionType attribute for the account. It has no effect on non-etype related Kerberos settings such as those outlined in Registry entries about Kerberos protocol and Key Distribution Center (KDC) with the exception of the DefaultDomainSupportedEncTypes registry key. The biggest change is the reduction of hard-coded etype usage. We have heard the frustrations of customers who are trying to eliminate RC4 usage, and the seemingly unexplainable instances of RC4 usage with their environments. This new library removes these hard-coded dependencies and aggregates all those decisions into one place. With the goal of: More secure Kerberos operations by default More predictable Kerberos etype usage More stable etype additions More stable etype removals For example, if we had not done this refactor, the DES deprecation and on-going work towards RC4 deprecation would not be possible. Why did this need to happen? Kerberos was added to Windows in the early 2000's as a part of beginning the move away from NTLM and into modern cipher usage. Over these decades, there have been incredible strides in security hardening that the original developers could not have foreseen. As a result, some of the design decisions made during that initial implementation impacted our ability to reliably change the way Kerberos operates. This can be seen in things like: Kerberos changes for CVE-2022-37966 Kerberos changes for CVE-2022-37967 Additionally, with the long tail of code in this area and the etype that has been historically used, it had become a near impossibility to add or remove a cipher due to how the etypes were directly associated in Kerberos. What does this mean going forward? The Kerb3961 library has key implications going forward. The biggest one is the removal of hard-coded cipher usage and a stronger adherence to the administrators’ configured encryption types. The environment will operate as configured. Meaning IT administrators can have a high degree of confidence that their configurations will be honored. This increases the amount of knowledge required by administrators. Misconfigurations, previously hidden by loose adherence to the configured etypes, will now be exposed. For more information about Kerberos etype selection, refer to the Kerberos EType Calculator. What needs to be done? To configure an environment requires understanding what etypes are used within an environment. To help aid in this endeavor, we have improved Key Distribution Center (KDC) auditing. 4768(S, F) A Kerberos authentication ticket (TGT) was requested. - Windows 10 | Microsoft Learn 4769(S, F) A Kerberos service ticket was requested. - Windows 10 | Microsoft Learn We have also published two PowerShell helper scripts that leverage these new events. The goal of these scripts is to allow for easier identification of both etype usage and account key availability. These scripts are published on the Microsoft Kerberos-Crypto GitHub repository, where, going forward, we will be using scripts and information published there to better interface with the community. We acknowledge that substantial changes can introduce regressions and friction points for those with mature environments. It is our goal to allow for a smooth adoption of these new features and prevent any unnecessary pain for our already overworked and under-appreciated system administrators. Please be sure to leverage Feedback Hub to share your experiences with us. If you would like to see any of these features early, we highly recommend leveraging the Windows Insider Program and opting into Continuous Innovation and sharing feedback directly with the development team. We understand that this can be challenging, and Microsoft is committed to ensuring that the knowledge needed to make an informed decision about what is right for your environment.
Connect a Workgroup device on 802.1x Network with NPS
We have an 802.1X-secured Wi-Fi network using EAP-TLS authentication with machine certificates. Domain-joined devices connect and authenticate successfully. However, we have a scenario where some non-domain (Workgroup) Windows 11 devices must connect to this network — and they fail to authenticate. What we've tested so far: User Certificate Approach: Created a duplicate of the User certificate template. Set Compatibility to Windows Server 2008 (to enable key storage provider support). Set Application Policies to include only Client Authentication. Set Subject Name to Supply in the request. During enrollment, we ensured the UPN in the certificate matches the AD user's UPN (e.g., mailto:user@domain). We verified the certificate appears under Published Certificates in the AD user's account. Machine Certificate Approach: Created a certificate with: CN=host/hostname.domain.local in the Subject DNS=hostname.domain.local in the SAN Client Authentication EKU Ensured the certificate is installed in the Local Machine store with private key. In AD: Created a Computer object matching the machine name. Added the ServicePrincipalName (SPN): host/hostname.domain.local Added altSecurityIdentities: "X509:<i>CN=CA Name,DC=domain,DC=local<s>CN=host/hostname.domain.local</s></i>" What we observe in NPS Event Viewer: Each connection attempt from a Workgroup machine — even with valid certificate, and proper mapping — results in: Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. We also ensured that: NPS has a valid certificate with Server Authentication EKU The authentication method used is Microsoft: Smart card or other certificate (EAP-TLS) The policies are configured for certificate-based authentication only The question How can we make NPS map a client certificate (from a non-domain device) to a user or computer account in Active Directory, so that authentication succeeds? Are there additional requirements for altSecurityIdentities, or limitations for Workgroup clients that we're missing?
Color Management is broken (GetICMProfile always returns WCS Default Device Profile)
Hi, It looks that color management logic is changed and many many graphics apps are not compatible with color management logic of Windows 11, Windows Server 2022, Windows Server vNext. There are quite a few references in internet: https://techcommunity.microsoft.com/t5/windows-11/windows-11-color-management-not-working-chrome-on-secondary/m-p/2869159 https://www.reddit.com/r/Windows11/comments/qg8dcg/for_those_of_you_going_crazy_over_icc_profiles/ https://community.adobe.com/t5/photoshop-ecosystem-discussions/color-management-not-working-with-photoshop-and-windows-11/m-p/12469301 https://www.eizoglobal.com/support/compatibility/software/win/windows11/ In short GetICMProfile Win32 API method doesn't return the expected value anymore on mentioned systems. I'm quite surprised to see no comment from Microsoft as the color management is very important aspect of OS Functionality. It might be that Microsoft is deprecating GetICMProfile in favor of WcsGetDefaultColorProfile, but there are so many apps in the wild that already use old method, so I don't think it a wise decision and so far looks more like an issue that has not been noticed by Microsoft yet.Remote desktop users do not allow reconnection
Hello everyone, Last week we started having problems with our user's sessions to the remote desktop, investigating we found the issue was "supposedly" an error from Microsoft with an update, then we found some patches that supposedly fixed it, however we still have cases of users despite having the patch installed are able to connect to the remote desktop but if for some reason they disconnect, they can not reconnect, they simply receive an error message regarding the password. If they wait a few minutes (more than 15 minutes) and try again, then possibly they can connect again. Another option is rebooting the workstations they are connected to and when they reconnect they do so without any problems. We have followed up on the whole process and our DNS is fine, our Gateway is fine, so we have no idea where else to look. By the way for our login validation process we use DUO Two Factor Authentication. Any ideas? Patches: https://support.microsoft.com/help/5020387: Windows 11 21H2 https://support.microsoft.com/help/5020435: Windows 10 22H2 https://support.microsoft.com/help/5020435: Windows 10 20H2 – 21H2 Thank you in advance,WAC fails to open on brand new Windows 11 machine
Good morning, I recently got a new workstation for my department, and it came with Windows 11 Pro. I tried installing Windows Admin Center 2110 (tried 1910.2 first with the same result) as I use it quite a lot and it fails to open. I simply get the following error: This page isn’t working right now localhost can't currently handle this request. HTTP ERROR 500 Nothing of any real use in troubleshooting. I have uninstalled and re-installed a couple times, the last time changing the port number to 6517 in case there was a conflict or something. I tried with and without Firewall also to no avail. I am hoping someone has come across this before and is able to help me out.Windows Server Essentials 2016 Client Backup on Windows 11 Pro unusably slow
I have just upgraded one machine to Windows 11 and everything appears to be working fine (a few tweaks needed for networking printing and some software updates). For WSE2016, I had to uninstall/reinstall the Windows Server Essentials 2016 Client Connector for it to connect correctly to the server - but everything seem OK with the ability to configure the backup working fine (a useful test of proper connectivity of the client to the server). HOWEVER, now I have started a client backup it has currently taken around 16 hours to backup to currently get to less than 40% complete. Previously the (incremental) client backups take minutes and they continue to work fine on my other machines, running Windows 10 Pro 21H2. All machines connected via Gbit wired network. Has anyone else tested WSE2016 Client Backup on Windows 11? Have you seen the same issue? How do we report this to Microsoft - I am reporting through Insider Feedback, but suspect the WSE2016 client may need updates, so want to make sure that the "bug" gets to the WSE2016 team as well, whilst it is still formally supported (End of Life being 11 January 2022). The PC is an Asus ROG Maximus XI Hero (WiFi) with Intel Ethernet adapter running Intel's latest driver (26.4) so I am also waiting for Intel to release updates with specific Windows 11 support, and for the first round for updates for WIndows 11 expected on 12 October.
High temperature Windows 11
Computadora portátil: Mientras usaba Windows 10, que tenía la opción de ajustar entre el rendimiento del ahorro de batería y el rendimiento máximo, que también es diferente con la batería o la alimentación de CA (conectado con el cargador), mientras mi computadora portátil estaba conectada e instalando Windows 11, la tenía en la opción de rendimiento máximo, que cuando se trataba de Windows 11 se quedó con esa configuración, luego cuando la tengo conectada, alcanza temperaturas de 90 grados, lo que no es muy recomendable, y como esta versión de Windows 11 no tiene algo similar para ajustarlo de nuevo. Se fija esa opción que genera muchos problemas de temperatura y daños en el equipo o si las personas lo dejan en el ahorro de batería, perderán rendimiento en el ordenador porque se queda fijo con esos ajustes. Recomendación Incluir la opción de que Windows 10 tuviera que ajustar esos parámetros o algo similar, y al que se pueda acceder desde la batería como antes. Traducido con http://www.DeepL.com/Translator (versión gratuita)