On-premises Identity updates & fixes for October 2019

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for October 2019:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4524152 October 3, 2019

The October 3, 2019 update for Windows Server 2016 (KB4524152), updating the OS build number to 14393.3243 is an update that fixes an intermittent issue with the print spooler service that may cause print jobs to fail. Some apps may close or generate errors, such as the remote procedure call (RPC) error. This issue was introduced in the KB4522010 update for Internet Explorer on September 23, 2019.

KB4519998 October 8, 2019

The October 8, 2019 update for Windows Server 2016 (KB4519998), updating the OS build number to 14393.3274 is a security update.

Two NTLM authentication vulnerabilities discovered by security firm Preempt are fixed in this update, When abused, these vulnerabilities allow bypassing protections put in place by Microsoft to prevent NTLM relay attacks, including MIC (Message Integrity Code) protection, Enhanced Protection for Authentication (EPA) and target SPN validation. These vulnerabilities were assigned CVE IDs CVE 2019-1166 and CVE-2019-1338.

After applying this update or later (cumulative) updates, Windows Server installations are protected against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. However, Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627).

If your see “The request was aborted: Could not create SSL/TLS secure Channel” errors or events with Event ID 36887 logged in the System event log with the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”, then this is caused by the behavior in this update. Please refer to KB4528489 for troubleshooting information.

KB4519979 October 15, 2019

The October 15, 2019 update for Windows Server 2016 (KB4519979), updating the OS build number to 14393.3300 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue that prevents Computer objects from being added to local groups using the Group Policy Preference “Local Users and Groups”. The Group Policy Editor returns the error message, “The object selected does not match the type of destination source. Select again.”
  • It addresses an issue that causes a query request of the Win32_LogonSession class for the StartTime to display the value of the epoch (for example, 1-1-1601 1:00:00) instead of the actual logon time.
  • It addresses an issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
  • It addresses an intermittent issue in Active Directory Federation Services (AD FS) that fails to authenticate users. Additionally, AD FS redirects the browser back to the Microsoft Exchange Client Access services (CAS) with the wrong Audience uniform resource identifier (URI). Specifically, AD FS appends a slash to the Audience URI. Users see an error page and cannot access the Outlook Web App (OWA).
  • It addresses an issue with Lightweight Directory Access Protocol (LDAP) queries that have a memberof expression in the filter. The queries fail with the error, “000020E6: SvcErr: DSID-0314072D, problem 5012 (DIR_ERROR), data 8996.

  

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4524148 October 3, 2019

The October 3, 2019 update for Windows Server 2016 (KB4524148), updating the OS build number to 17763.775 is an update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent printing issue some users have experienced since the September 23, 2019 update (KB4522015).

KB4519338 October 8, 2019

The October 8, 2019 update for Windows Server 2016 (KB4519338), updating the OS build number to 17763.805 is a security update.

Overview of KB4519338

Two NTLM authentication vulnerabilities discovered by security firm Preempt are fixed in this update, When abused, these vulnerabilities allow bypassing protections put in place by Microsoft to prevent NTLM relay attacks, including MIC (Message Integrity Code) protection, Enhanced Protection for Authentication (EPA) and target SPN validation. These vulnerabilities were assigned CVE IDs CVE 2019-1166 and CVE-2019-1338.

After applying this update or later (cumulative) updates, Windows Server installations are protected against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. However, Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627).

If your see “The request was aborted: Could not create SSL/TLS secure Channel” errors or events with Event ID 36887 logged in the System event log with the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”, then this is caused by the behavior in this update. Please refer to KB4528489 for troubleshooting information.

KB4520062 October 15, 2019

The October 15, 2019 update for Windows Server 2016 (KB4520062), updating the OS build number to 17763.832 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue that prevents Computer objects from being added to local groups using the Group Policy Preference “Local Users and Groups”. The Group Policy Editor returns the error message, “The object selected does not match the type of destination source. Select again.”
  • It addresses an issue that causes a query request of the Win32_LogonSession class for the StartTime to display the value of the epoch (for example, 1-1-1601 1:00:00) instead of the actual logon time.
  • It addresses an issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
  • It addresses an issue with Lightweight Directory Access Protocol (LDAP) queries that have a memberof expression in the filter. The queries fail with the error, “000020E6: SvcErr: DSID-0314072D, problem 5012 (DIR_ERROR), data 8996.
  • It addresses an issue in which an Active Directory Federation Services (AD FS) certificate is renewed and published by default each year. However, the client does not use them, which results in an authentication error.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.