New Emergency Updates from Microsoft Fix Windows Server Authentication Issues
Microsoft has released out of band updates to resolve authentication failures related to Kerberos delegation scenarios affecting domain controllers (DCs) running supported versions of Windows Server.
On affected systems, end users cannot sign in to services or applications using Single sign-on (SSO) in on-premises Active Directory or Azure Active Directory hybrid environments.
These issues affect systems running Windows Server 2019 and earlier, including Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.
The emergency updates address “a known issue that could cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self),” a Microsoft announcement said on Sunday.
“This issue occurs after you install the November 9, 2021 security updates on domain controllers (DCs) that are running Windows Server.”
The full list of out of band updates Microsoft released over the weekend includes:
How to Deploy OOB Updates
You will not be able to install these emergency updates through Windows Update, nor will they automatically install on affected domain controllers.
To download the standalone update package, you will need to search for them in the Microsoft Update Catalog (you can also use the download links available above).
You can import this update into Windows Server Update Services (WSUS) manually using the instructions available in the Microsoft Update Catalog.
When Microsoft confirmed these issues on Thursday, the company said that users might see one or more of the following errors on affected systems:
- Event Viewer can display Microsoft-Windows-Kerberos-Key-Distribution-Center event 18 recorded in the system event log
- Error 0x8009030c with the text Web Application Proxy has encountered an unexpected event is logged in the Azure AD Application Proxy event log in Microsoft-AAD Application Proxy connector event 12027
- Network traces contain the following signature similar to the following:
- 7281 24:44 (644) 10.11.2.12 .contoso.com KerberosV5 KerberosV5: TGS Request domain: CONTOSO.COM Sname: http / xxxxx-xxx.contoso.com
- 7282 7290 (0). CONTOSO.COM