While installing updates is one of the basic information security measures, many organizations hold off on installing updates for Windows Server within 48 hours. This month, we saw another reason why it’s a smart idea to test updates in pre-production environments before deploying them to production domain controllers.
After installing the November 2021 cumulative and/or security updates on domain controllers, you might experience authentication failures on servers relating to Kerberos Tickets acquired via S4u2self.
About the issue
The authentication failures are a result of Kerberos tickets acquired via S4u2self and used as evidence tickets for protocol transition to delegate to back-end services which fail signature validation. Kerberos authentication fails on Kerberos delegation scenarios that rely on a front-end service to retrieve a Kerberos ticket on behalf of a user to access a back-end service.
People in your environment might be unable to sign into services or applications using Single Sign On (SSO) using Active Directory or in a hybrid Azure AD environment.
Affected environments might be using the following:
- Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
- Apps published through Web Application Proxy (WAP) servers using Windows Integrated Authentication (WIA)-based Single Sign-on (SSO)
- Active Directory Federation Services (AD FS)
- Microsoft SQL Server
- Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
- Intermediate devices including load balancers performing delegated authentication
You might receive one or more of the following errors when encountering this issue:
- Events in the System log with EventID 18 and source Microsoft-Windows-Kerberos-Key-Distribution-Center.
- Events in the Azure AD Application Proxy logs with EventID 12027, source Microsoft-AAD Application Proxy Connector, error 0x8009030c and with the following text:
Web Application Proxy encountered an unexpected error
How to fix this issue
This issue was resolved in out-of-band updates released November 14, 2021. Install the below updates on domain controllers when you experience this issue:
- Windows Server 2008 SP2: KB5008606
- Windows Server 2008 R2 SP1: KB5008605
- Windows Server 2012: KB5008604
- Windows Server 2012 R2: KB5008603
- Windows Server 2016: KB5008601
- Windows Server 2019: KB5008602
As these are standalone packages, search for it in the Microsoft Update Catalog, then import the update(s) into Windows Server Update Services (WSUS) manually. These updates will not install automatically.
KB5008601 and KB5008602 for Windows Server 2016 and Windows Server 2019, respectively are cumulative updates. When you haven’t installed the November 9 2021 cumulative updates, install this update instead. For the other Operating Systems, install the November 9 2021 cumulative update first, then install the patch.
Thanks so much, this was a big help in fixing the Application Proxy issue.
Why is this update not automatically deployed to domain controllers?
If this update would cause other problems that are more widespread than the problems with the November 2021 cumulative update, many organizations would suffer.
With this method, only organizations that are impacted by the changes install the update.
encountered some issues after installing the Nov 21 cumulative update on Active directory for linux clients authenticating with Active Directory or appliance that retrieve data from active directory.
Thanks a lot for this article, it saved my customer whose NAV domain users could not log in to the program. However, the Security Intelligence Update for Windows Defender Antivirus seems to somehow undo what this special patch does, so I've had to uninstall and reinstall KB5008605 twice already, each time after the aforementioned Defender update. DC needs to be restarted twice, first after uninstalling, and then after reinstalling KB5008605, so I stopped updating the domain controller until this issue is permanently resolved by Microsoft.