Re: Another brilliant demonstration of Borkzilla testing procedures
No, I'm sorry, Kerberos is a core technology in the AD stack. While MSFT making moves to tighten up their entire auth structure is commendable, it is only in the last year - in fact, since November last year - that they have released so many updates that have screwed up one or other component of AD auth (NTLM/Kerberos - LDAP stuff has been fine).
This is *entirely* due to whatever testing model they have implemented most recently, which I understand is essentially relying on the Insider program for "regression testing".
I expect some pain while we ensure that legacy accounts get remediated prior to force-deprecating RC4, and the documented staged approach to do that via these updates is fine. But you cannot break core services simply because you can't be bothered regression-testing - it is not a new concept, and nor is it an obsolete one.
AD security has always been highly complex and has undergone significant changes in the last 20 years, mostly without too much disruption. But this past year has been more like the mid-90s days of bad NT4 service packs. It's really not acceptable, unless you subscribe to the view that this is a deliberate ploy to force everyone into cloud, which frankly seems increasingly likely to me.
Of course, debacles like these mean that our clients are even more reluctant to do even basic timely updates, let alone migrate if it makes sense for their workloads (which, frankly, it doesn't always).