After the November patch Tuesday, Microsoft released emergency Out-Of-Band update to address authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC). Firstly, these authentication issues impact systems that are running Windows Server 2019 and lower versions with specific Kerberos delegation scenarios. Secondly, a vulnerability management software is essential.
Thirdly, Microsoft claims this security update “Addresses a known issue that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self).”
“The issue occurs, after you install the November 9 2021 security updates on domain controllers (DC) that are running Windows Server.” Auto patching is a solution for this.
However, on impacted systems, end-users cannot sign in to services or applications using Single Sign-On (SSO) in Active Directory on-premises or hybrid Azure Active Directory environments.
List of updates released by Microsoft for Emergency Out-Of-Band Update
- KB5008602: Out-of-band on Windows Server 2019
- KB5008601: Out-of-band on Windows Server 2016
- KB5008603: Authentication fails on domain controllers in specific Kerberos scenarios on Windows Server 2012 R2
- KB5008604: Authentication fails on domain controllers in specific Kerberos systems on Windows Server 2012
- KB5008605: Authentication fails on domain controllers in specific Kerberos systems on Windows Server 2008 R2 SP1
- KB5008606: Authentication fails on domain controllers in specific Kerberos systems on Windows Server 2008 SP2
Impact :
Moreover, the authentication issues prevent end-users in Active Directory on-premises or hybrid Azure Active Directory environments from signing in to services or applications using Single Sign-On (SSO).
Deployment updates:
Microsoft emergency Out-Of-Band update cannot be installed through Windows Update, and they will also not be installed automatically on affected DCs. If you installed earlier updates, only the new fixes contained in the update package would be downloaded and installed on your device. However, to install the above non-security updates, you have to search and download the standalone update package from Microsoft Update Catalog for respective KBs, or you can download using the below links.
1. KB5008602 – UPDATE
2. KB5008601 – UPDATE
3. KB5008603 – UPDATE
4. KB5008604 – UPDATE
5. KB5008605 – UPDATE
6. KB5008606 – UPDATE