Summary

After installing the November 2022 Windows updates on your domain controllers, you may find that the Access Manager service does not start, or user authentication fails when trying to access the web service.

Cause

There are known issues with the November 2022 Windows update that can prevent users, service accounts, and computer objects from authenticating in the domain.

This can result in the Access Manager Service failing to start, or if the service does start, the Access Manager service may be unable to access resources within the domain. As a result, users cannot log into the AMS website, or access LAPS password and request JIT access.

In the event log or in the AMS log files (C:\Program Files\Lithnet\Access Manager Service\logs), you may find one or more of the following log entries (or similar messages).

Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed
 ---> System.ComponentModel.Win32Exception (0x80090342): The encryption type requested is not supported by the KDC.

System.Security.Authentication.AuthenticationException: The user name or password is incorrect.
 ---> System.Runtime.InteropServices.COMException (0x8007052E): The user name or password is incorrect.

Users may see an error message in the portal saying:

Your request could not be processed because your SSO identity could not be found in the directory

Resolution

Microsoft have released an out-of-band update to fix the known issue with the update. Install the update on all domain controllers, and once complete, reboot the AMS server.

• KB5021656: Windows Server 2022

• KB5021655: Windows Server 2019

• KB5021654: Windows Server 2016

• KB5021653: Windows Server 2012 R2

• KB5021652: Windows Server 2012

• KB5021657: Windows Server 2008 SP2

This patch does not need to be installed on the AMS server itself.