With January 2023 CU for SharePoint Server 2016, 2019 and Subscription Edition we released a security fix which increased the transport security for communications between the SharePoint applications and the distributed cache cluster.
With May 2023 CU we released a fix for this issue.
- May 2023 CU for SharePoint Server 2016
- May 2023 CU for SharePoint Server 2019
- May 2023 CU for SharePoint Server Subscription Edition
Update from May 25th, 2023:
Thanks to several customer reports we identified an additional aspect of the distributed cache problem introduced with January 2023 CU which is not addressed by this fix:
Application pools using a managed account that has been added after the farm was created might not be able to talk to the Distributed Cache server.
The reason is that these accounts are not automatically added as a member to the WSS_WPG security group on pure Distributed Cache servers where no WebApplications are provisioned.
In a classic minrole farm with separate machines for WFE, Distributed Cache, Search and Application Server the WSS_WPG is only updated on servers holding the WFE and the Application Server role but not on servers holding the Distributed Cache or Search role. As a result granting read permission to the WSS_WPG group on the remote registry access key on the Distributed Cache servers does not grant permissions for these application pool accounts.
A fix for this is now in development.
Workaround: Manually add all accounts used as application pool identity for SharePoint web applications to the WSS_WPG security group on the Distributed Cache server.