Microsoft Fixed November Patch Issue with Authentication might fail on DCs

Microsoft Fixed November Patch Issue with Authentication might fail on DCs. There are several reports that after installing the November security updates on DCs running Windows Server versions. Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

You might have authentication failures on servers relating to Kerberos Tickets acquired via S4u2self. This known issue the following KBs KB5007206, KB5007192, KB5007247, KB5007260, KB5007236, KB5007263. Microsoft released a standalone update as an out-of-band patch to fix this issue.

Microsoft confirmed that Kerberos delegation scenarios where a Kerberos client provides the front-end service with an evidence ticket are not impacted. This issue does not impact pure Azure Active Directory environments.

Patch My PC

The new patch KB5008602 is not available in WSUS and SCCM, so you might need to use a manual method explained in the following post. The following post will help you get this patch in SCCM/WSUS. More details Patch Missing From SCCM How To Import Into WSUS Manually.

Impacted November Patch Issue

Microsoft confirmed that the following environments might have the Kerberos issues with Domain Controllers (DCs).

  • Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
  • Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO)
  • Active Directory Federated Services (ADFS)
  • Microsoft SQL Server
  • Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
  • Intermediate devices including Load Balancers performing delegated authentication
Microsoft Fixed November Patch
Sample Diagram from – this is a sub-thread about Kerberos Constrained Delegation (KCD) and abuse scenarios from https://twitter.com/_nwodtuhs – Microsoft Fixed November Patch Issue.

Identify IssueEvent ID 18 — Privilege Attribute Certificate Configuration

How do you identify this known issue with the November patch issue? You can see the Event ID 18 — Privilege Attribute Certificate Configuration on the impacted environments.

1E Nomad
  • Event Viewer might show Microsoft-Windows-Kerberos-Key-Distribution-Center event 18 logged in the System event log
  • Error 0x8009030c with text Web Application Proxy encountered an unexpected is logged in the Azure AD Application Proxy event log in Microsoft-AAD Application Proxy Connector event 12027
  • Network traces contain the following signature similar to the following:
    • 7281 24:44 (644) 10.11.2.12 <app server hostname>.contoso.com KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.COM Sname: http/xxxxx-xxx.contoso.com
    • 7282 7290 (0) <hostname>. CONTOSO.COM <IP address of the application server making the TGS request>

Fixed November Patch Issue with KB5008602 Authentication might fail on DCs

FIX is available with the out-of-band update KB5008602 November Patch Issue with Authentication might fail on DCs. But I can find the patches only for Server 2019?

NOTE! – I didn’t find the KB5008602 is not available in SCC/WSUS yet? I did initiate a manual WSUS sync, but I couldn’t find any patches after this sync. Do you see the same?

Microsoft Fixed November Patch Issue with Authentication might fail on DCs -  KB5008602
Microsoft Fixed November Patch Issue with Authentication might fail on DCs – KB5008602.

You can use the following method if you don’t find the KB5008602 patch in WSUS/SCCM and if you want to deploy this immediately? Try this method – Patch Missing From SCCM How To Import Into WSUS Manually HTMD Blog (anoopcnair.com).

Microsoft confirmed that this KB 5008602 wouldn’t be available in WSUS. However, you can import this update into Windows Server Update Services (WSUS), and SCCM, as the post explained above.

Note KB5008602 is not available from Windows Update and will not install automatically.

List of KB5008602 available for Windows affected system. I can’t find the patches for other operating systems like Server 2008, Server 2012, Server 2016, etc…

NOTE! – Updated the details of hotfixes released for Server 2016 and Server 2012 R1

The Server 2016 fix has a different KB5008601: https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9

Server2012 R2 kb5008603: https://support.microsoft.com/en-us/topic/kb5008603-authentication-fails-on-domain-controllers-in-certain-kerberos-scenarios-on-windows-server-2012-r2-1beea7a1-9a3c-48dd-a56d-c3cc3f5d0d50

Microsoft Fixed November Patch Issue with Authentication might fail on DCs -  KB5008602
Microsoft Fixed November Patch Issue with Authentication might fail on DCs – KB5008602.

The MSU package is windows10.0-kb5008602-x64_5535dd10ef8d98b2acede815d6b7fa002f306c33.msu

  • 2021-11 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5008602) Windows Server 2019 Updates 11/14/2021 n/a 553.3 MB
  • 2021-11 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB5008602) Windows 10 LTSB Updates 11/14/2021 n/a 553.3 MB
  • 2021-11 Cumulative Update for Windows 10 Version 1809 for x86-based Systems (KB5008602) Windows 10 LTSB Updates 11/14/2021 n/a 304.6 MB
  • 2021-11 Cumulative Update for Windows 10 Version 1809 for ARM64-based Systems (KB5008602) Windows 10 LTSB Updates 11/14/2021 n/a 600.8 MB

Description: Install this update to resolve issues in Windows. For a complete listing of the issues included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.

Resources

  • https://docs.microsoft.com/en-ca/windows/release-health/status-windows-10-1809-and-windows-server-2019#2748msgdesc

Author

Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…