[German]Microsoft has published further special updates for various Windows Server versions as of November 19, 2020. These are intended to fix the problems with Kerberos authentication of ticket renewals on domain controllers for the operating system versions concerned.
In the articled Windows out-of-band updates with fix for Kerberos authentication ticket renewal issue I already reported about the first unscheduled correction updates for the Kerberos authentication problem a few days ago. Blog reader EP has informed me now about further updates in this comment.
List of out-of-band updates with Kerberos fixes
Microsoft had already released the following special updates for various Windows Server versions on November 17, 2020 (see Windows out-of-band updates with fix for Kerberos authentication ticket renewal issue and Windows Server 2012/R2: Out-of-band patch for Kerberos authentication issue).
- KB4594442 for Windows Server Version 1809 and Windows Server 2019
- KB4594439 for Windows Server 2012 R2
- KB4594438 for Windows Server 2012
On November 19, 2020 the following updates for further Windows versions has been added.
- KB4594441 for Windows Server Version 1607
- KB4594443 for Windows Server Version 1903/1909
- KB4594440 for Windows Server Version v2004/20H2
The updates are available in the Microsoft Update Catalog (search for the KB number). Microsoft recommends installing the last Servicing Stack Update (SSU) according to ADV990001, before installing the patch. According to the respective support articles, the special update should fix the following problems:
- Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
- Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
- S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.
This should make all Windows servers available with updates to fix the Kerberos authentication problem. Regarding the problems with the installation of the software, please read the linked support articles.
The Kerberos authentication problem
The November 2020 update KB4586781 for Windows Server, version 2004 and 20H2 fixes a number of issues (see alsoPatchday: Windows 10-Updates (November 10, 2020)). However, in certain constellations, there were subsequently problems with Kerberos authentication on domain controllers if the update was installed on Windows Server, version 2004 and 20H2, but tickets were issued from Windows servers without this update. I had reported this in the blog post Windows 10/Windows Server: Update KB4586781 causes issues with Kerberos DC authentication. Microsoft had promised to fix it as soon as possible. With the above updates, these fixes should now be available.
Cookies helps to fund this blog: Cookie settings