Windows 11 Client can't join the domain

Khalgrem · September 30, 2022, 11:57am

Hello there!

I ran into a problem today. Installed Windows 11 on a computer and tried to join it to the domain. It throws an error:

“Wrong username or password” after a few tries, i used the powershell command to join to the domain. same username and password. worked. rebooted and tried to login via domain user. same error: “wrong username or password”.

Network is working fine. We can use all local websites and can login with domain credentials on the websites. DNS-Server are setup right too. DNS-Suffix is right too. NetBios settings(WINS) for ipv4 is on default.

Only thing that is different from the other working clients is the dns forward zone entry

Not working one:

Working one:

How can i change this entry? or where is it saved?

Univention Version: 4.4-9 errata1279

gdampf · November 6, 2022, 5:54pm

I don’t think, this is related to the DNS Entry. Microsoft cut some older Hashing Algorithms for Kerberos in 22H2. If the PC is working well in the domain, after Upgrading to 22H2, the mentioned behaviour can be seen. Deinstalling 22H2 and reverting to 22H1 “solves” the problem. I think your freshly installed Windows 11 is at the same patch-level, so the problem occurs.

BORNXenon · November 8, 2022, 1:53pm

You have two options really:

upgrade Univention to version 5.0-2 which contains Samba 16.2 which will co-operate happily with Windows 11 22H2
downgrade Windows 11 to 21H2

There is a hackey workaround to change the way Kerberos works on Windows which will allow you to login, however, you will find that Group Policy updates and who knows what else won’t work.

There is a rather interesting thread on the matter here:

github.com/heimdal/heimdal

KDC: TGS-REQ problem with Windows 11 22H2 client

opened 05:41PM - 22 Sep 22 UTC

branciar

feature request bug

We have an Active Directory domain with a outgoing trust relationship to a Heimd…al KDC Kerberos realm. Users authenticate on the Heimdal realm from AD-joined workstations. We just encountered a problem with the latest Windows 11 version (22H2): the TGS-REQ issued by the Windows client to the Heimdal KDC for the krbtgt/AD-DOMAIN@HEIMDAL-REALM principal fails with "Decrypt integrity check failed": Sep 22 12:24:42 mykdc kdc[683]: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type aes256-cts-hmac-sha1-96 Sep 22 12:24:42 mykdc kdc[683]: Failed parsing TGS-REQ from IPv6:xx:xx:xx:xx:xx:xx:xx:xx Sep 22 12:24:42 mykdc kdc[683]: tgs-req: sending error: -1765328353 to client Under exactly same conditions, previous versions of Windows (up to Win11 21H2) obtain a successful TGS-REP from KDC. Thorough wireshark inspection of the TGS-REQ packets from various Windows clients highlights only one difference : the "till" timestamp of the "req-body" section is set to 99990913024805Z (9999-09-13 02:48:05 UTC) by the 22H2 Win11 client, whereas older Windows clients set it to 20370913024805Z (2037-09-13 02:48:05 UTC). This let me suspect a trivial 32-bit Unix epoch counter overflow in KDC... If so, this bug only occurs on TGS-REQ: in the logon process, Windows first sends AS-REQ containing the same odd timestamp (99990913024805Z value in the "till" and "rtime" fields of the req-body), which succeeds anyway. Our KDC version is 7.7.0, on x64 Debian 11 platform (heimdal-kdc 7.7.0+dfsg-2 Debian package). Quick steps to reproduce (NB: I suspect this bug may also arise in other setups involving Win11 22H2 clients): - have an AD domain (ours is at Windows Server 2016 functionality level, don't know if that matters) - have an Kerberos realm operated by Debian 11 x64 heimdal-kdc 7.7.0+dfsg-2 package (don't know if platform/architecture matters) - setup an outgoing trust relationship from AD domain to Heimdal realm (hints: "netdom trust", "ksetup /addkdc", create krbtgt/AD-DOMAIN on Heimdal realm) - have at least one user principal in Heimdal realm (say tom@HEIMDAL-REALM) - have at least one AD user (say tom@AD-DOMAIN) with an altSecurityIdentity attribute containing "Kerberos:tom@HEIMDAL-REALM" (external Kerberos identity mapping) - have at least one workstation running Windows 11 22H2, and another running an older version of Windows (say Windows 10), for comparison - configure both workstations to allow Heimdal realm logon (hint: ksetup /addkdc) - logon on both workstations as "tom@HEIMDAL-REALM" and heimdal password. It fails on 22H2, it works on older one.

MiracErde · November 9, 2022, 8:41am