While installing updates is one of the basic information security measures, many organizations hold off on installing updates for Windows Server within 48 hours. This month, we saw another reason why it’s a smart idea to test updates in pre-production environments before deploying them to production domain controllers.
After installing the November 2021 cumulative and/or security updates on domain controllers, you might experience authentication failures on servers relating to Kerberos Tickets acquired via S4u2self.
About the issue
The authentication failures are a result of Kerberos tickets acquired via S4u2self and used as evidence tickets for protocol transition to delegate to back-end services which fail signature validation. Kerberos authentication fails on Kerberos delegation scenarios that rely on a front-end service to retrieve a Kerberos ticket on behalf of a user to access a back-end service.
People in your environment might be unable to sign into services or applications using Single Sign On (SSO) using Active Directory or in a hybrid Azure AD environment.
Affected environments might be using the following:
- Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
- Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO)
- Active Directory Federated Services (AD FS)
- Microsoft SQL Server
- Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
- Intermediate devices including load balancers performing delegated authentication
You might receive one or more of the following errors when encountering this issue:
- Events in the System log with EventID 18 and source Microsoft-Windows-Kerberos-Key-Distribution-Center.
- Events in the Azure AD Application Proxy logs with EventID 12027, source Microsoft-AAD Application Proxy Connector, error 0x8009030c and with the following text:
Web Application Proxy encountered an unexpected error
How to fix this issue
This issue was resolved in out-of-band updates released November 14, 2021. Install the below updates on domain controllers when you experience this issue:
- Windows Server 2008 SP2: KB5008606
- Windows Server 2008 R2 SP1: KB5008605
- Windows Server 2012: KB5008604
- Windows Server 2012 R2: KB5008603
- Windows Server 2016: KB5008601
- Windows Server 2019: KB5008602
As these are standalone packages, search for it in the Microsoft Update Catalog, then import the update(s) into Windows Server Update Services (WSUS) manually. These updates will not install automatically.
KB5008601 and KB5008602 for Windows Server 2016 and Windows Server 2019, respectively are cumulative updates. When you haven’t installed the November 9 2021 cumulative updates, install this update instead. For the other Operating Systems, install the November 9 2021 cumulative update first, then install the patch.