๐ Secure Bits ๐ก
๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ ๐๐๐๐ต ๐๐ฎ๐ถ๐น๐๐ฟ๐ฒ๐ ๐ถ๐ป ๐ ๐ถ๐
๐ฒ๐ฑ ๐๐ป๐๐ถ๐ฟ๐ผ๐ป๐บ๐ฒ๐ป๐๐ (๐ช๐ฆ ๐ฎ๐ฌ๐ฎ๐ฑ + ๐ช๐ฆ ๐ฎ๐ฌ๐ฎ๐ฎ ๐๐๐)
Ran into this issue twice already โ and itโs sneaky.
So hereโs what you should know ๐
If youโre running a mixed domain with ๐ช๐ถ๐ป๐ฑ๐ผ๐๐ ๐ฆ๐ฒ๐ฟ๐๐ฒ๐ฟ ๐ฎ๐ฌ๐ฎ๐ฎ ๐ฎ๐ป๐ฑ ๐ฎ๐ฌ๐ฎ๐ฑ ๐๐๐, watch out for Kerberos authentication errors after password changes.
๐ฅย ๐๐๐๐๐ฒ:
If a userโs password is changed on a WS 2025 DC, and they later try to authenticate against a WS 2022 DC โ you may get:
๐ ๐๐ฅ๐๐ฑ_๐๐๐_๐๐ฅ๐ฅ_๐๐ง๐ฌ๐ฃ๐_๐ก๐ข๐ฆ๐จ๐ฃ๐ฃ in Wireshark
๐ Event ID 4771 with failure codeย ๐ฌ๐
๐ย in logs
I experienced this in hardened environments with only AES enabled.
It looks like WS 2025 may generate key material that WS 2022 cannot read or validate properly, ๐ฐ๐ฎ๐๐๐ถ๐ป๐ด ๐ฎ๐๐๐ต ๐๐ผ ๐ณ๐ฎ๐ถ๐นย โ even though everything looks configured correctly.
โ Once passwords are changed back on WS 2022 DCs โ things work again across both.
๐ย ๐๐ผ๐ ๐๐ผ ๐ฑ๐ฒ๐๐ฒ๐ฐ๐ ๐ถ๐:
โข Look for repeated ETYPE_NOSUPP errors in Wireshark
โข Review Event ID 4771 with 0xE code
โข Focus on accounts that recently changed passwords on WS 2025 DCs
๐ฉน ๐ง๐ฒ๐บ๐ฝ๐ผ๐ฟ๐ฎ๐ฟ๐ ๐๐ผ๐ฟ๐ธ๐ฎ๐ฟ๐ผ๐๐ป๐ฑ:
โข Rotate affected passwords on WS 2022 or older DCs
โข Or avoid mixed environments with WS 2025 DCs โ for now
Iโve seen this issue now multiple times, and spotted it discussed in a few community threads as well โ ๐๐ผ ๐ถ๐โ๐ ๐ป๐ผ๐ ๐ถ๐๐ผ๐น๐ฎ๐๐ฒ๐ฑ.
โ๐๐ป๐๐ผ๐ป๐ฒ ๐ฒ๐น๐๐ฒ seeing similar problems? If youโre running WS 2016 or WS 2019 DCs in a mixed setup โ are you affected too?
