Windows out-of-band updates with fix for Kerberos authentication ticket renewal issue

Windows Update[German]Microsoft has been rolling out special updates for various versions of Windows Server since November 17, 2020. These are intended to solve the problems with Kerberos authentication of ticket renewals on domain controllers.


Advertising

The Kerberos authentication ticket renewal problem

The November 2020 update KB4586781 for Windows Server, version 2004 and 20H2 fixes a number of issues (see also Patchday: Windows 10-Updates (November 10, 2020)). However, in certain constellations, there were subsequently problems with Kerberos authentication on domain controllers if the update was installed on Windows Server, version 2004 and 20H2, but tickets were issued from Windows servers without this update. I had discussed this in the Windows 10/Windows Server: Update KB4586781 causes issues with Kerberos DC authentication after Microsoft posted a note on the Windows status page. Microsoft had promised to fix it as soon as possible.

Microsoft releases out-of-band updates with fix

Microsoft has been rolling out special updates for various versions of Windows Server since November 17, 2020. I already mentioned the first update in the blog post Windows Server 2012/R2: Out-of-band patch for Kerberos authentication issue. Here is now the list of updates for different Windows versions.

  • KB4594442 for Windows Server Version 1809 and Windows Server 2019
  • KB4594439 for Windows Server 2012 R2
  • KB4594438 for Windows Server 2012

The above updates fix Kerberos authentication issues related to the value of the PerformTicketSignature registry subkey in CVE-2020-17049. The issues are related to the Windows updates of November 10, 2020. According to the respective support articles, the special update is intended to fix the following issues:

  • Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
  • Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
  • S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.

The updates are available in the Microsoft Update Catalog (search for the KB number). Microsoft recommends installing the last Servicing Stack Update (SSU) according to ADV990001, before installing the patch. Problems are not known yet. Details can be found in the respective support articles.

Similar articles:
Patchday: Windows 10-Updates (November 10, 2020)
Windows 10/Windows Server: Update KB4586781 causes issues with Kerberos DC authentication
Windows Server 2012/R2: Out-of-band patch for Kerberos authentication issue


Advertising


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

3 Responses to Windows out-of-band updates with fix for Kerberos authentication ticket renewal issue

  1. EP says:

    more out-of-band updates for other Win10 versions posted 11/19, guenni:

    KB4594441 for v1607
    https://support.microsoft.com/help/4594441/

    KB4594443 for v1903/1909
    https://support.microsoft.com/help/4594443/

    KB4594440 for v2004/20H2
    https://support.microsoft.com/help/4594440/

  2. mowgus says:

    I’ve been pulling my hair out with authentication issues in our environment (2019 DCs) over the past few weeks. Tracked it down to kerberos not renewing but couldn’t figure out why. Just found this page…. should have known it was another MS update issue.

    Thank you for posting this.

Leave a Reply to mowgus Cancel reply

Your email address will not be published. Required fields are marked *