[German]Microsoft has been rolling out special updates for various versions of Windows Server since November 17, 2020. These are intended to solve the problems with Kerberos authentication of ticket renewals on domain controllers.
The Kerberos authentication ticket renewal problem
The November 2020 update KB4586781 for Windows Server, version 2004 and 20H2 fixes a number of issues (see also Patchday: Windows 10-Updates (November 10, 2020)). However, in certain constellations, there were subsequently problems with Kerberos authentication on domain controllers if the update was installed on Windows Server, version 2004 and 20H2, but tickets were issued from Windows servers without this update. I had discussed this in the Windows 10/Windows Server: Update KB4586781 causes issues with Kerberos DC authentication after Microsoft posted a note on the Windows status page. Microsoft had promised to fix it as soon as possible.
Microsoft releases out-of-band updates with fix
Microsoft has been rolling out special updates for various versions of Windows Server since November 17, 2020. I already mentioned the first update in the blog post Windows Server 2012/R2: Out-of-band patch for Kerberos authentication issue. Here is now the list of updates for different Windows versions.
- KB4594442 for Windows Server Version 1809 and Windows Server 2019
- KB4594439 for Windows Server 2012 R2
- KB4594438 for Windows Server 2012
The above updates fix Kerberos authentication issues related to the value of the PerformTicketSignature registry subkey in CVE-2020-17049. The issues are related to the Windows updates of November 10, 2020. According to the respective support articles, the special update is intended to fix the following issues:
- Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
- Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
- S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.
The updates are available in the Microsoft Update Catalog (search for the KB number). Microsoft recommends installing the last Servicing Stack Update (SSU) according to ADV990001, before installing the patch. Problems are not known yet. Details can be found in the respective support articles.
Patchday: Windows 10-Updates (November 10, 2020)
Windows 10/Windows Server: Update KB4586781 causes issues with Kerberos DC authentication
Windows Server 2012/R2: Out-of-band patch for Kerberos authentication issue
Cookies helps to fund this blog: Cookie settings