A Tip From Kinetic Computer Services ...

Windows Server 2019 can no longer access shared folders on Windows XP, Windows Server 2003, Windows Server 2008 (system error 2148074306 or "The encryption type is not requested by the KDC)

Description of the Problem

You have a server running Windows Server 2019. It accesses a shared folder on a computer running Windows XP, Windows Server 2003, or Windows 2008. It has worked in the past, but no longer does. Instead, you get one or more of the following errors:

System error 2148074306 has ocurred.

Error code: 0x80004005 Unspecified error

ERROR -2146892990 (0x80090342) The encryption type is not requested by the KDC.

Cause

A Microsoft security update, CVE-2022-37966, is responsible. This update disables access to Windows XP, Windows Server 2003, and certain versions and service pack levels of Windows 2008 from Windows Server 2019. This behavior is by design. This update was released on November 8, 2022 as "2022-11 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB5019966)."

For more information, see Microsoft knowledge base article "KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966".

The only solution Microsoft offers to this issue is to upgrade the legacy computers to a supported version of windows. Furthermore, Microsoft states:

IMPORTANT We do not recommend using any workaround to allow non-compliant devices authenticate, [sic] as this might make your environment vulnerable.

Workaround

You can restore access to your legacy computers by removing CVE-2022-37966 from your Windows Server 2019 computer. Note that the normal GUI-based process for uninstalling Windows Updates does not work for removing KB5019966. The above article recommends using the PowerShell command, Remove-WindowsPackage. A more detailed explanation of the procedure is provided below.

Before removing the package, you must obtain its name. To do this, type the following command at a normal command prompt:

The output of the above command will probably be too long for you to work with. You may wish to capture it to a text file, which you can then open in Notepad. For example:

Open your output.txt file in Notepad and look for packages installed after November 8, 2022. Search or scan for the string "17763.3650" in the Package Identity. Once you find it, note the part of the Package Identity that beins with "RollupFix." It will contain a 16-character hexadecimal string. Search your output.txt file for any other packages containing that string. For example, your packages may look like this:

Package Identity : Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.3650.1.9
State : Superseded
Release Type : Security Update
Install Time : 1/9/2023 7:11 PM

Package Identity : Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.3770.1.10
State : Installed
Release Type : Security Update
Install Time : 1/9/2023 11:31 PM

Note that the first package above contains the string 17763.3650, while the second package includes the same RollupFix identifier as it.

Now, open a PowerShell command prompt. Type Remove-Windows Package -Online -PackageName followed by the first Package Identity in your output, in quotes. If your packages were those in the above example, you would type:

After that command finishes, you would type:

(Note that you can copy the package names from Notepad and paste them into PowerShell.)

You will be prompted to restart the server after each uninstall. You only need to restart after all packages have been uninstalled.

After your server has rebooted, it should be able to connect to the shared folders on your legacy computers as it did before the update.

Windows Update will attempt to re-apply CVE-2022-37966. To prevent this, either stop applying Windows updates or use the downloadable "Show and Hide Update tool."

This tip is a free service of Kinetic Computer Services - professional network consultants serving the Houston area since 1998.

Reproduction of this document without the author's consent is prohibited.