January 10, 2023—KB5022286

This update addresses security issues for your Windows operating system.         

RMAD Backup Failure: A logon request contained an invalid logon type value

Unable to create backups with a gMSA account in RAMD tool after installing Microsoft Feb month patches

Issue Description

RMAD is unable to connect to SQL using a gMSA account after installing Jan or Feb month Microsoft patches. After Oct month, there were numbers of changes happened in Kerberos, KDC and net logon channel and Microsoft has released these changes via patches.

Due to these patches, Legacy application stopped working and they are unable to authentication with KDC via latest encrypt ions 128 and 256 encryptions method. After installing these Microsoft patches KB5022289/KB5022286/KB5022845/KB5022836 backups are not being created with a gMSA account and error message triggered: “A logon request contained an invalid logon type value”

Cause

The behavior change has been confirmed to be the result of a deliberately change made by Microsoft to fix a security issue with group managed service accounts (gMSA). This RMAD functionality breaking change was introduced with Microsoft Security Patch KB5022289/KB5022286/KB5022845/KB5022836 and was released to fix a security issue for gMSA.

After installing the Nov month patches, MS stopped supporting the RC4 encryption for Legacy application and we are suspecting RMAD integrated SQL server still using the NTLM lower version with RC4 encryption and that is main reason for not creating the SPN for SQL server via gMSA account.

And, due to SPN registration issue, gMSA account unable to connect the SQL server and backup was failure with this error. Note- SQL server is required to store the RMAD backup related information

Resolution

There is no permanent solution for this problem however we are still testing the solution in our lab to make gMSA as compatible with RMAD product.

• Make the changes in RAMD server object and make this support RC4 encryption.
• Make the changes in SPN and  allow it work with latest encryption.
• Convert the RMAD service account from gMSA to a non-gMSA account to resolve this error.
• Uninstall the latest patches from the RMAD serve and RMAD support the backup operation for  gMSA accounts.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended content

How to Check the Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

What is Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

How to export replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Disabling and enabling replication on schema master domain controller

How to enable strict replication consistency

How to prevent lingering objects replication in active directory

AD replication process overview

How to force active directory replication

Change notification in replication process

How to check replication partner for a specific domain controller

dcdiag test replications

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.