Microsoft November 2022 Patch causes vCenter Server Authentication Failures
search cancel

Microsoft November 2022 Patch causes vCenter Server Authentication Failures

book

Article ID: 344879

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Disabling the use of RC4 for Kerberos tickets causes VMware vCenter Server to fail authentication.

This issue typically follows the implementation of Microsoft November 2022 security updates, which introduce events warning of RC4-related connection requests.

Relevant Microsoft Cumulative Updates:

  • ​Windows Server 2022: KB5021656
  • ​Windows Server 2019: KB5021655
  • ​Windows Server 2016: KB5021654

Relevant Microsoft Standalone Updates:

  • Windows Server 2012 R2: KB5021653
  • Windows Server 2012: KB5021652
  • Windows Server 2008 R2 SP1: KB5021651
  • Windows Server 2008 SP2: KB5021657

Environment

VMware vCenter Server

Cause

vCenter is attempting to authenticate using RC4 on a domain where it is disabled. This is likely due to the vCenter computer object being limited by the ms-DS-SupportedEncryptionType attribute. It's also possible that the default encryption attribute (DefaultDomainSupportedEncTypes) of the domain is set to use only RC4.

VMware vCenter Server attempts to authenticate using the RC4 cipher in an Active Directory domain where RC4 is explicitly disabled or restricted.

This behavior occurs when the vCenter Server computer object is limited by the ms-DS-SupportedEncryptionType attribute, or if the domain's DefaultDomainSupportedEncTypes attribute restricts encryption exclusively to RC4.

Resolution

Implement the applicable Microsoft out-of-band (OOB) patch on all Domain Controllers in the environment to detect and remediate RC4 usage in Kerberos.

Detect and remediate RC4 usage in Kerberos

Apply one of the following configuration options to update the encryption type for the vCenter Server computer object.

Option 1: Active Directory Users and Computers (ADUC)

  1. Open Active Directory Users and Computers.
  2. Select View from the menu bar and verify Advanced Features is enabled.
  3. Navigate to the vCenter Server computer object.
  4. Right-click the object and select Properties > Attribute Editor.
  5. Locate and modify the ms-DS-SupportedEncryptionType attribute to 24.
  6. Click OK. The value will display as 0x18.
  7. Click OK to save changes.
  8. Log out of the vCenter Server UI, close the browser, and log back in using a domain user account.

Option 2: PowerShell

  1. Open an administrative PowerShell prompt.
  2. Execute the following command, replacing <vCENTER-AD-Object> with the exact computer object name:
Set-ADComputer -Identity <vCENTER-AD-Object> -KerberosEncryptionType AES128,AES256
  1. Verify the object attribute is successfully updated to 0x18.
  2. Log out of the vCenter Server UI, close the browser, and log back in using a domain user account.

Additional Information

To verify the cipher in use, filter the Windows Domain Controller security logs for Event IDs 4769 and 4768.

Search for the vCenter Server computer account entry. If the Ticket Encryption Type is utilizing RC4 (e.g., 0x17 or 0x18) instead of AES-256 (0x12), this resolution applies.

Powered by Wolken Software