After the November patch Tuesday, Microsoft has released emergency updates to address authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC). These authentication issues impact systems are running Windows Server 2019 and lower versions with specific Kerberos delegation scenarios.

Microsoft says these security updates “Addresses a known issue that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self).”

“This issue occurs after you install the November 9, 2021 security updates on domain controllers (DC) that are running Windows Server.”

On impacted systems, end-users cannot sign in to services or applications using Single Sign-On (SSO) in Active Directory on-premises or hybrid Azure Active Directory environments.

List of updates released by Microsoft after November Patch Tuesday:

  • KB5008602: Out-of-band on Windows Server 2019
  • KB5008601: Out-of-band on Windows Server 2016
  • KB5008603: Authentication fails on domain controllers in specific Kerberos scenarios on Windows Server 2012 R2
  • KB5008604: Authentication fails on domain controllers in specific Kerberos systems on Windows Server 2012
  • KB5008605: Authentication fails on domain controllers in specific Kerberos systems on Windows Server 2008 R2 SP1
  • KB5008606: Authentication fails on domain controllers in specific Kerberos systems on Windows Server 2008 SP2

The authentication issues prevent end-users in Active Directory on-premises or hybrid Azure Active Directory environments from signing into services or applications using Single Sign-On (SSO).

Deployment updates:

Microsoft emergency updates cannot be installed through Windows Update, and they will also not be installed automatically on affected DCs. If you installed earlier updates, only the new fixes contained in the update package would be downloaded and installed on your device. To install the above security updates, you all have to search and download the standalone update package from Microsoft Update Catalog for respective KBS, or you all can download using the below links.

1. KB5008602 – UPDATE
2. KB5008601 – UPDATE
3. KB5008603 – UPDATE
4. KB5008604 – UPDATE
5. KB5008605 – UPDATE
6. KB5008606 – UPDATE

 

Source: https://www.secpod.com/blog/microsoft-released-emergency-updates-for-windows-server/?utm_source=Security+Alerts&utm_medium=Email&utm_campaign=Microsoft+Has+Released+Out-of-band+Updates+To+Fix+Windows+Server+Authentication+Issues