Search the Petri IT Knowledgebase

The Unofficial M365 Changelog

Sponsors

Podcasts

Learning Center
search icon

close

Icon for Latest Whitepaper

Latest Whitepaper

Choosing an MFA Solution for Your Active Directory Environment? Ask These 15 Questions.
Icon for On-Demand Webinar

On-Demand Webinar

Combating Cyberattacks in 2022: Prepare to Defend Your Active Directory
Icon for Upcoming Conference

Upcoming Conference

GET-IT Microsoft Cloud Security and Compliance 1-Day Virtual Conference
Icon for Ebook

Ebook

The Forrester New Wave™: SaaS Application Data Protection, Q4 2021

Home

Windows Server

Microsoft Issues Emergency Update Fix for Windows Server SSO Authentication Bug

Author avatar - Russell Smith

Russell Smith

 |

Nov 15, 2021

Microsoft Issues Update Fix for Windows Server SSO Auth Bug

Microsoft has issued an out-of-band emergency update fix to patch an authentication issue that was caused by the November 9th cumulative update for Windows Server. The bug affects Windows Server 2008 SP2 through to Windows Server 2019.

The November 9th Patch Tuesday cumulative update (CU) for Windows Server causes a problem that can cause authentication failures on Active Directory (AD) domain controllers (DC). Microsoft says about the new out-of-band update:

advertisment

Addresses a known issue that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self). This issue occurs after you install the November 9, 2021 security updates on domain controllers (DC) that are running Windows Server.

The bug caused by the Patch Tuesday update can prevent end users from signing into services or apps that are configured to use single sign-on (SSO) in AD or hybrid Azure Active Directory (AAD) environments.

Errors on systems impacted by the SSO Windows Server authentication bug

Microsoft says that organizations might see the following issues on systems affected by the bug:

  • Event Viewer might show Microsoft-Windows-Kerberos-Key-Distribution-Center Event 18 logged in the System event log
  • Error 0x8009030c with text Web Application Proxy encountered an unexpected is logged in the Azure AD Application Proxy event log in Microsoft-AAD Application Proxy Connector event 12027
  • Network traces contain the following signature similar to the following:
    • 7281 24:44 (644) 10.11.2.12 .contoso.com KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.COM Sname: http/xxxxx-xxx.contoso.com
    • 7282 7290 (0) . CONTOSO.COM

Kerberos extension S4U2self impacted by November 2021 Patch Tuesday cumulative update

S4U2self is a Kerberos protocol extension for AD that lets a service get a Kerberos service ticket for itself on behalf of a user. Using S4U2self, the user is identified to the Key Distribution Center (KDC) with the user’s name and realm, or alternatively the user’s certificate.

advertisment

Service for User (S4U) can be used in different scenarios, like running Windows Task Scheduler tasks under a user account without storing the user’s password. Or allowing an external web server to get a Kerberos service ticket on a user’s behalf.

Here is a list of the updates that you can download for each affected version of Windows Server:

Windows Server version Microsoft Update Catalog update link
Windows Server 2008 SP2 KB5008606
Windows Server 2008 R2 SP1 KB5008605
Windows Server 2012 KB5008604
Windows Server 2012 R2 KB5008603
Windows Server 2016 KB5008601
Windows Server 2019 KB5008602

How to install the S4U2self authentication fix for Windows Server domain controllers

Microsoft isn’t making this out-of-band fix available via Windows Update. But you can download the updates manually from the Microsoft Update Catalog using the links above and then manually important each update into Windows Server Update Services (WSUS).

More from Russell Smith

TwiIT ep21

Project Volterra, Hybrid Loop, and NPUs to Supercharge AI on Your Devices
TWiIT ep20

Windows 11 Approved for Broad Deployment and 'One Outlook' Drops for Insiders
This Week in IT Ep 19

Microsoft Takes on Rival Calendly with Outlook Bookings - Plus the Latest IT News Updates

advertisment

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

advertisment

More in Windows Server

Windows Server 4 Hero Approved

Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues

May 20, 2022 | Rabia Noureen

Windows Server 3 Hero Approved

CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers

May 17, 2022 | Rabia Noureen

Windows Server 1 Hero Approved

Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues

May 12, 2022 | Rabia Noureen

Windows 11

Microsoft to Disable SMB1 File-Sharing Protocol By Default on Windows 11

Apr 20, 2022 | Rabia Noureen

Microsoft logo

Microsoft Defender for Endpoint Adds Support for Windows Server 2012 R2 and 2016

Apr 14, 2022 | Rabia Noureen

Windows Logo

Microsoft Lets Windows Server Admins Opt-In for Automatic .NET Updates

Apr 13, 2022 | Rabia Noureen

Most popular on petri

X

Log in to save content to your profile.

Login

Sign Up

Username/Email

Password

Forgot Password?

Login

Article saved!

Access saved content from your profile page. View Saved

Reach out

Contact Us

Advertising

About Us

Media Kit

Learn More

Podcasts

Learning Center

Webinars

Sitemap

Windows

Cloud

Office 365

Servers

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy