Microsoft Fixed November Patch Issue with Authentication might fail on DCs

Microsoft Fixed November Patch Issue with Authentication might fail on DCs. There are several reports that after installing the November security updates on DCs running Windows Server versions. Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

You might have authentication failures on servers relating to Kerberos Tickets acquired via S4u2self. This known issue the following KBs KB5007206, KB5007192, KB5007247, KB5007260, KB5007236, KB5007263. Microsoft released a standalone update as an out-of-band patch to fix this issue.

Microsoft confirmed that Kerberos delegation scenarios where a Kerberos client provides the front-end service with an evidence ticket are not impacted. This issue does not impact pure Azure Active Directory environments.

The new patch KB5008602 is not available in WSUS and SCCM, so you might need to use a manual method explained in the following post. The following post will help you get this patch in SCCM/WSUS. More details Patch Missing From SCCM How To Import Into WSUS Manually.

Patch My PC

Impacted November Patch Issue

Microsoft confirmed that the following environments might have the Kerberos issues with Domain Controllers (DCs).

  • Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
  • Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO)
  • Active Directory Federated Services (ADFS)
  • Microsoft SQL Server
  • Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
  • Intermediate devices including Load Balancers performing delegated authentication
Microsoft Fixed November Patch
Sample Diagram from – this is a sub-thread about Kerberos Constrained Delegation (KCD) and abuse scenarios from https://twitter.com/_nwodtuhs – Microsoft Fixed November Patch Issue.

Identify IssueEvent ID 18 — Privilege Attribute Certificate Configuration

How do you identify this known issue with the November patch issue? You can see the Event ID 18 — Privilege Attribute Certificate Configuration on the impacted environments.

Adaptiva
  • Event Viewer might show Microsoft-Windows-Kerberos-Key-Distribution-Center event 18 logged in the System event log
  • Error 0x8009030c with text Web Application Proxy encountered an unexpected is logged in the Azure AD Application Proxy event log in Microsoft-AAD Application Proxy Connector event 12027
  • Network traces contain the following signature similar to the following:
    • 7281 24:44 (644) 10.11.2.12 <app server hostname>.contoso.com KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.COM Sname: http/xxxxx-xxx.contoso.com
    • 7282 7290 (0) <hostname>. CONTOSO.COM <IP address of the application server making the TGS request>

Fixed November Patch Issue with KB5008602 Authentication might fail on DCs

FIX is available with the out-of-band update KB5008602 November Patch Issue with Authentication might fail on DCs. But I can find the patches only for Server 2019?

NOTE! – I didn’t find the KB5008602 is not available in SCC/WSUS yet? I did initiate a manual WSUS sync, but I couldn’t find any patches after this sync. Do you see the same?

Microsoft Fixed November Patch Issue with Authentication might fail on DCs -  KB5008602
Microsoft Fixed November Patch Issue with Authentication might fail on DCs – KB5008602.

You can use the following method if you don’t find the KB5008602 patch in WSUS/SCCM and if you want to deploy this immediately? Try this method – Patch Missing From SCCM How To Import Into WSUS Manually HTMD Blog (anoopcnair.com).

Microsoft confirmed that this KB 5008602 wouldn’t be available in WSUS. However, you can import this update into Windows Server Update Services (WSUS), and SCCM, as the post explained above.

Note KB5008602 is not available from Windows Update and will not install automatically.

List of KB5008602 available for Windows affected system. I can’t find the patches for other operating systems like Server 2008, Server 2012, Server 2016, etc…

NOTE! – Updated the details of hotfixes released for Server 2016 and Server 2012 R1

The Server 2016 fix has a different KB5008601: https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9

Server2012 R2 kb5008603: https://support.microsoft.com/en-us/topic/kb5008603-authentication-fails-on-domain-controllers-in-certain-kerberos-scenarios-on-windows-server-2012-r2-1beea7a1-9a3c-48dd-a56d-c3cc3f5d0d50

Microsoft Fixed November Patch Issue with Authentication might fail on DCs -  KB5008602
Microsoft Fixed November Patch Issue with Authentication might fail on DCs – KB5008602.

The MSU package is windows10.0-kb5008602-x64_5535dd10ef8d98b2acede815d6b7fa002f306c33.msu

  • 2021-11 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5008602) Windows Server 2019 Updates 11/14/2021 n/a 553.3 MB
  • 2021-11 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB5008602) Windows 10 LTSB Updates 11/14/2021 n/a 553.3 MB
  • 2021-11 Cumulative Update for Windows 10 Version 1809 for x86-based Systems (KB5008602) Windows 10 LTSB Updates 11/14/2021 n/a 304.6 MB
  • 2021-11 Cumulative Update for Windows 10 Version 1809 for ARM64-based Systems (KB5008602) Windows 10 LTSB Updates 11/14/2021 n/a 600.8 MB

Description: Install this update to resolve issues in Windows. For a complete listing of the issues included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.

Resources

  • https://docs.microsoft.com/en-ca/windows/release-health/status-windows-10-1809-and-windows-server-2019#2748msgdesc

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

14 thoughts on “Microsoft Fixed November Patch Issue with Authentication might fail on DCs”

    • I couldn’t get this patch installed on the SCCM server. But got installed on DCs. I think these patches are applicable only for the impacted environments mentioned in the post? ADFS, DCs, etc…

      Reply
  1. Dear all,
    I applied patch kb5008603 this morning on two of four DCs Windows 2012R2 that have had November update but i still have error “Kerberos-Key-Distribution-Center” event ID 37.
    On two others DCs that have not November update, i don’t have this error.
    I wonder how well the patch works? For you it works well ?

    Regards,
    Julien

    Reply
  2. Do the clients need to install the Windows 10 update to start working again?

    We had several app proxy users unable to connect, which we could see in the logs as:
    Web Application Proxy encountered an unexpected error while processing the request.
    Error: The logon attempt failed
    (0x8009030c)

    We could replicate this so we installed the patches on the DCs and then we were working again.

    HOWEVER, we still have some users who cannot access app proxy (Windows 10 laptop users who are remote workers). They are still trying to authenticate but we are now seeing this error in the app proxy event logs:

    Web Application Proxy encountered an unexpected error while processing the request.
    Error: The user name or password is incorrect.
    (0x8007052e)

    Not sure if we need to install the Windows 10 updates on their laptops to get this to work or whether something else is required?

    Reply
  3. Just to confirm are the patch KB5008603 & KB5008602 need to be installed only on the Domain controllers or on all servers. We are not able to import them in WSUS.

    Reply
  4. we are having authentication problems with sql 2008 on windows server 2003 just after installing the november updates and KB5021653: Out-of-band update on DCs , any ideas ???

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.