Windows Server authentication issues triggered by new security upgrades

Windows Server authentication issues triggered by new security upgrades

User Experience:

“After installing the November security updates, you might have authentication failures on servers relating to Kerberos Tickets acquired via S4u2self,” Microsoft explains on the Windows health dashboard. On Tuesday after installating of security patches provided during Patch Users on Windows Server Domain Controllers (DCs) may face authentication difficulties, according to Microsoft. With some Kerberos delegation circumstances, these authentication vulnerabilities affect systems running Windows Server 2019 and lower versions.

Affected Servers and Windows Issues:

The following are all Windows Servers affected with issues :

  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2 SP1
  •  Windows Server 2008 SP2.

The following are Windows updates with their versions :

The following are Windows errors:

Event Viewer may appear. The System event log contains the Microsoft-Windows-Kerberos-Key-Distribution-Center event 18.

The Azure AD Application Proxy event log in Microsoft-AAD Application Proxy Connector event 12027 has the error 0x8009030c with the text Web Application Proxy encountered an unexpected.

A signature similar to the following can be found in network traces:

  • 7281 24:44 (644) 10.11.2.12 .contoso.com KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.COM Sname: http/xxxxx-xxx.contoso.com
  • 7282 7290 (0) . CONTOSO.COM

The following are services used by the servers:

  • Active Directory Federated Services (ADFS)
  • Microsoft SQL Server
  • Load Balancers and other intermediate devices that conduct delegated authentication.
  • Integrated Windows Authentication (IWA) uses Kerberos Constrained Delegation in Azure Active Directory (AAD) Application Proxy (KCD).
  • Integrated Windows Authentication is used by Internet Information Services (IIS) (IWA)
  • Single Sign On (SSO) Web Application Proxy (WAP) Integrated Windows Authentication (IWA) (SSO).

 

Microsoft Verdict on Impact:

Kerberos authentication will fail on Kerberos delegation scenarios that rely on the front-end service to retrieve a Kerberos ticket on behalf of a user to access a backend service. Important Kerberos delegation scenarios where a Kerberos client provides the front-end service with an evidence ticket are not impacted. Pure Azure Active Directory environments are not impacted by this issue. – Microsoft

 

Reference:

Gatlan, S. (2021, November 11). Microsoft: New Security updates Trigger Windows Server Auth issues. BleepingComputer. Retrieved November 12, 2021, from https://www.bleepingcomputer.com/news/microsoft/microsoft-new-security-updates-trigger-windows-server-auth-issues/.