Windows Server 2012/R2: Out-of-band patch for Kerberos authentication issue

Windows Update[German]Microsoft has released an Out-of-band update KB4594439 for Windows Server 2012 and Windows Server 2012 R2 on November 17, 2020. This is intended to fix the issues with Kerberos authentication ticket renewal on domain controllers.


Advertising

Some Background

Microsoft released update KB4586781  for Windows 10 version 2004 and version 20H2 and for Windows Server 2004 and 20H2. The update fixes a number of problems, also on the Windows kernel (see also Patchday: Windows 10-Updates (November 10, 2020)). However, there were problems with Kerberos authentication on domain controllers when the update was installed on Windows Server, version 2004 and 20H2, but tickets were issued from Windows servers without this update. This also applies to machines running Windows Server 2012 / R2. I had this in the blog post Windows 10/Windows Server: Update KB4586781 causes issues with Kerberos DC authentication after Microsoft posted a note on the Windows status page. Microsoft had promised to fix it as soon as possible.

Update KB4594439 for Windows Server 2012/R2

German blog reader Jürgen pointed out the current special update in this comment. Update KB4594439 for Windows Server 2012 and Windows Server 2012 R2 fixes Kerberos authentication issues related to the value of the PerformTicketSignature registry subkey in CVE-2020-17049. The issues are related to the Windows updates of November 10, 2020. According to the support article, the special update should fix the following issues:

  • Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
  • Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
  • S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.

The update is available in the Microsoft Update Catalog. Microsoft recommends to install the last Servicing Stack Update (SSU) according to ADV990001, before installing the patch. Problems are not known yet.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Update, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *