Microsoft has released an urgent update to address authentication failures related to Kerberos delegation scenarios that affect domain controllers (DCs) running supported versions of Windows Server.
On the affected systems, end users will not be able to sign in to services and applications using single sign-on (SSO) in an on-premises Active Directory or hybrid Azure Active Directory environment.
These issues affect systems running Windows Server 2019 and later, including Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. These issues affect systems running Windows Server 2019 and below, including Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.
This urgent update addresses “a known issue that can cause authentication failures related to Kerberos tickets retrieved from Service for User to Self (S4U2self),” according to Microsoft’s announcement.
This issue occurs after installing the November 9, 2021 security update on a domain controller (DC) running Windows Server.
The full list of emergency updates released by Microsoft is as follows.
- Windows Server 2019: KB 5008602 – DOWNLOAD
- Windows Server 2016: KB5008601 – DOWNLOAD
- Windows Server 2012 R2: KB5008603 – DOWNLOAD
- Windows Server 2012: KB5008604 ;- DOWNLOAD
- Windows Server 2008 R2 SP1: KB5008605 – DOWNLOAD
- Windows Server 2008 SP2: KB5008606 – DOWNLOAD
How to install the OOB update
These emergency updates cannot be installed via Windows Update and will not be automatically installed on affected DCs.
To download the standalone update package, you will need to search the Microsoft Update catalog (you can also use the download link above).
To manually import this update into Windows Server Update Services (WSUS), use the instructions found in the Microsoft Update Catalog.
When Microsoft confirmed these issues, they stated that users may see one or more of the following errors on affected systems.
- The Event Viewer may show the Microsoft-Windows-Kerberos-Key-Distribution-Center event 18 recorded in the System Event Log
- Microsoft-AAD Application Proxy Connector event 12027, the Azure AD Application Proxy event log records “Error 0x8009030c with text Web Application Proxy encountered an unexpected” is logged in the Azure AD Application Proxy event log
The network trace contains something similar to the following signature.
7281 24:44 (644) 10.11.2.12 .contoso.com KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.COM Sname: http/xxxxx-xxx.contoso.com
7282 7290 (0) . CONTOSO.COM
Comments