Microsoft’s KB5021131 Security Update: Breaks VMware vCenter Login?

In recent news, Microsoft published a security update for Windows that has raised some concerns among VMware users. The update, KB5021131, enforces applications to use the more secure AES algorithm for Kerberos encryption instead of the unsecure RC4-HMAC. While this is a good idea in theory, it has been reported that the update may break vCenter login functionality when used with VMware vCenter.

In this blog post, we will delve into the details of KB5021131 and explore how it may impact vCenter login functionality. We will also provide a suggested workaround to ensure seamless authentication with vCenter.

What is KB5021131?

KB5021131 is a security update for Windows that enforces applications to use the more secure AES algorithm for Kerberos encryption instead of the unsecure RC4-HMAC. The update aims to improve the security of Windows systems by using the more secure AES algorithm, which is widely considered to be more secure than RC4-HMAC.

How does KB5021131 impact vCenter login?

The issue arises when you have vCenter joined to a Microsoft Active Directory (AD) domain. VMware talks to AD for authenticating users using Kerberos protocol. If there are unwanted changes in the way Microsoft used Kerberos, it can hit vCenter login functionality.

To address this issue, VMware support recommends setting encryption type for vCenter objects in AD to 24 (decimal). This will ensure seamless authentication with vCenter.

Testing Results

I conducted some testing in my lab to verify the impact of KB5021131 on vCenter login functionality. Here are the results:

1. Without patch: I checked the used encryption type for Kerberos tickets and found that it was 0x12, which is AES256-CTS-HMAC-SHA1-96. This is the default encryption type for most environments.

2. With patch: After applying the KB5021131 update, I checked the used encryption type again and found that it was 0x17, which is RC4-HMAC. This is the encryption type that Microsoft wants to avoid.

Workaround

To resolve the issue, VMware support recommends setting encryption type for vCenter objects in AD to 24 (decimal). This will ensure seamless authentication with vCenter. Here are the steps to set encryption type for vCenter objects in AD:

1. Open Active Directory Users and Groups administration tool.

2. Navigate to the vCenter object in AD.

3. Right-click on the object and select “Edit”.

4. In the “Attribute Editor” window, navigate to the “msDS-SupportedEncryptionTypes” attribute.

5. Set the value of this attribute to 24 (decimal).

Conclusion

In conclusion, KB5021131 may break vCenter login functionality when used with VMware vCenter. However, by setting encryption type for vCenter objects in AD to 24 (decimal), you can ensure seamless authentication with vCenter. We recommend that you test this solution in your lab before implementing it in your production environment.

If you have any further questions or concerns, please feel free to ask. We are here to help!