New safety updates set off Home windows Server auth points

0
177

[ad_1]

Microsoft says customers would possibly expertise authentication points on Area Controllers (DC) working Home windows Server. after putting in safety updates launched through the November Patch Tuesday.
These authentication points affect methods working Home windows Server 2019 and decrease variations with sure Kerberos delegation situations.
The record of affected platforms additionally contains Home windows Server 2016, Home windows Server 2012 R2, Home windows Server 2012, Home windows Server 2008 R2 SP1, and Home windows Server 2008 SP2.
The authentication points forestall end-users in Energetic Listing on-premises or hybrid Azure Energetic Listing environments from signing into companies or purposes utilizing Single Signal-On (SSO).
“After putting in the November safety updates, [..] you may need authentication failures on servers referring to Kerberos Tickets acquired through S4u2self,” Microsoft explains on the Home windows well being dashboard.
“The authentication failures are a results of Kerberos Tickets acquired through S4u2self and used as proof tickets for protocol transition to delegate to backend companies which fail signature validation.”
The entire record of originating updates for this Home windows Server recognized situation contains:
Microsoft stated it is engaged on a decision to handle this Home windows Server situation and estimates that it’s going to present an answer quickly.

Kerberos authentication will fail on Kerberos delegation situations that depend on the front-end service to retrieve a Kerberos ticket on behalf of a consumer to entry a backend service. Vital Kerberos delegation situations the place a Kerberos shopper supplies the front-end service with an proof ticket usually are not impacted. Pure Azure Energetic Listing environments usually are not impacted by this situation. – Microsoft

Impacted environments
In response to Microsoft, affected environments may be utilizing one of many following companies or apps:
Azure Energetic Listing (AAD) Software Proxy Built-in Home windows Authentication (IWA) utilizing Kerberos Constrained Delegation (KCD)
Net Software Proxy (WAP) Built-in Home windows Authentication (IWA) Single Signal On (SSO)
Energetic Listing Federated Companies (ADFS)
Microsoft SQL Server
Web Data Companies (IIS) utilizing Built-in Home windows Authentication (IWA)
Intermediate gadgets together with Load Balancers performing delegated authentication
Customers would possibly see a number of of the errors under on impacted methods:
Occasion Viewer would possibly present Microsoft-Home windows-Kerberos-Key-Distribution-Middle occasion 18 logged within the System occasion log
Error 0x8009030c with textual content Net Software Proxy encountered an sudden is logged within the Azure AD Software Proxy occasion log in Microsoft-AAD Software Proxy Connector occasion 12027
Community traces comprise the next signature much like the next:
7281 24:44 (644) 10.11.2.12 .contoso.com KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.COM Sname: http/xxxxx-xxx.contoso.com
7282 7290 (0) . CONTOSO.COM

[ad_2]