The November 2022 Microsoft patch KB5020805 applied some changes to harden Kerberos and Netlogon protocols. This patch inadvertently created an issue that could invalidate Kerberos signatures in certain environments, which can cause Remote Desktop connections using domain users to fail.

When this patch is applied to domain controllers, it can manifest in Remote Desktop Protocol (RDP) issues using Advanced Server Access (ASA) with the Active Directory (AD)-joined feature. The symptoms may include:

• Login attempt with an AD-joined password (option #1) fails with an error on the RDP session:
  
  The username or password is incorrect. Try again.
  
  After this, the username field at the login prompt might be populated in an incorrect format, "domain\user@domain"

• The login attempt with AD-joined passwordless (option #2) fails with an error about smart card certificate authentication (a few variations of this error message have been seen).

In both scenarios, the ASA Gateway debug logs may not contain a specific error message, but the following might be:

• Via packet capture between the target server and the domain controller, the Domain Controller might reject the target server's request for a Kerberos ticket with:
  
  KRB Error: KRDB5KDC_ERR_ETYPE_NOSUPP

• Domain Controller event logs (Kerberos-Key-Distribution-Center) may contain a coinciding error, such as: 
  
  While processing an AS request for target service krbtgt, the account testuser did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18  17  23  24  -135  3. The accounts available etypes : 23  18  17. Changing or resetting the password of testuser will generate a proper key.
   

• Advanced Server Access (ASA)
• AD-joined feature

The root cause of this specific issue was the Microsoft patch KB5020805, which applied security hardening for Kerberos/Netlogon and potentially invalidated Kerberos signatures in certain environments. Below are the links to the Microsoft KB release, Microsoft's acknowledgement of service disruption, and its resolution.

• Microsoft KB article
• Microsoft's acknowledgment of potential service disruption

1. If the issue is a direct match for the Microsoft issue above, Microsoft has released an out-of-band update as of November 17, 2022, which resolves the issue. We have specifically seen the issue introduced to ASA clients via the patch application to the Domain Controller (DC) and confirmed the issue was resolved via the out-of-band update application to the domain controller.
   
   Windows Server 2022: KB5021656
   Windows Server 2019: KB5021655
   Windows Server 2016: KB5021654
   
   NOTE: As of December 2022, the fix for this issue has been rolled into the monthly Microsoft rollup updates.

2. It is important to note that, in general, Kerberos authentication between the target server and DC is a vital part of the login flow when attempting to RDP to a server with AD user. So even if the environment does not meet the criteria to be affected by the specific Kerberos signature issue outlined above, there can be any number of possible issues that can cause a breakdown in the Kerberos authentication between the target server and DC.

   1. Validate general network connectivity between the target server and the DC.
   2. Review the compatibility of GPOs related to Kerberos encryption.