People | PSU | Departments
Skip to contentSkip to search

NOTICE: IT Alerts has been shut down as of April 17, 2019 00:00 Eastern.   Replacement: https://pennstate.service-now.com/sp?id=services_status

IT Alert - Resolved: Issues Logging in to Windows Domains

/alerts

IT Alerts by Date


Info about the IT Alerts Replacement

  • red boxCurrent Alert
  • green boxResolved Alert
  • orange boxFuture Alert

Resolved: Issues Logging in to Windows Domains

Last updated on March 13, 2015 at 10:02AM

Update on March 13, 2015 at 10:02AM

ITS has identified the hotfix that has caused the issue for Windows Vista, Windows 7, Server 2008 and Server 2008 R2. We currently recommend for all Windows and Server systems, verification that hotfix kb2775511 is REMOVED. Microsoft recommends that a hotfix should only be installed if you are experience the exact issue listed in the hotfix description notes.

Update on March 12, 2015 at 2:38PM

ITS believes the problem to be associated with Microsoft Authentication using a capitalized realm name when building the key to encrypt a Kerberos ticket. ITS\' Kerberos realm is lowercase and is not be able to decrypt the Kerberos packet that is sent by the client. Error messages associated with the event have been found to be \"Decrypt integrity check failed\" from the Kerberos server as also KRB Error: KRB5KRB_AP_ERR_BAD_INTEGRITY that is produced on the windows client when Kerberos logging is enabled.

We want to point out that the rollback of the patches is a temporary recommendation and not a solution, alternately users can use the UPN authentication method as well which is userid@domain which does function correctly.

ITS would like to remind everyone that patches from Microsoft either direct or through a WSUS server should always be tested before deploying to production environments.

Update on March 12, 2015 at 11:28AM

ITS continues to investigate this issue. It has been identified that this issue affects Windows Server 2008, 2008 R2, Windows 7 and Windows Vista clients.

For those areas using Systems Management @ Penn State (SysMan) participants can use the \"Rollback Patch Task: KB3035131\" and \"Rollback Patch Task: KB3033929\" tasks to uninstall these two KBs it is recommended to uninstall both for now until investigation and troubleshooting is complete.

Update on March 11, 2015 at 12:21PM

At this time, ITS recommends that for Windows clients KB3033929 and KB3035131 should be removed for now. These updates have been un-approved from the central Windows Server Update Services (WSUS).

ITS is continuing to investigate the root cause of this issue.

Update on March 11, 2015 at 10:22AM

ITS has blocked this patch from the central WSUS for Windows 7 until we can identify the root cause.

Original Alert

There are currently issues logging in to some Windows-based domains with dce.psu.edu credentials. ITS recommends that users log in to these systems using "userID@dce.psu.edu". ITS believes this is related to Microsoft Update KB3002657 and is investigating a way to rollback this update.

For more information, please contact IT Service Desk (itservicedesk@psu.edu).


NOTE: Historic alerts such as this may be visible for a limited time. For latest alerts, see https://pennstate.service-now.com/sp?id=services_status

Impact Information

  • Incident Type:
    Unexpected Outage
  • Locations affected:
    All locations
  • Began on:
    March 11, 2015 at 9:28AM
  • Issue Resolved:
    March 13, 2015 at 10:02AM