The advice in this publication is intended for organisations unable to upgrade from Microsoft Windows Server 2008 and Windows Server 2008 R2. Organisations yet to upgrade to a newer supported operating system should review their risk assessments and begin planning for the implementation of mitigation strategies to reduce their risk exposure – noting there will still be an overall increase in risk exposure until such a time that Microsoft Windows Server 2008 and Windows Server 2008 R2 servers are upgraded. Organisations using Microsoft Windows Server 2008 and Windows Server 2008 R2 should upgrade to the latest version of Microsoft Windows Server 2016 or Windows Server 2019 to continue receiving patches for security vulnerabilities, while also benefiting from security improvements in the newer operating systems. Subsequently, adversaries may use these unpatched security vulnerabilities to target Microsoft Windows Server 2008 and Windows Server 2008 R2 servers. As such, organisations no longer receive patches for security vulnerabilities identified in these products. On 14 January 2020, Microsoft ended support for Microsoft Windows Server 2008 and Windows Server 2008 R2. KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.COM Sname: http/ Strategies to Mitigate Cyber Security Incidents ranks timely patching of security vulnerabilities, as well as using the latest operating system versions, as essential mitigation strategies in preventing cyber security incidents. Network traces contain the following signature similar to the following:.Error 0x8009030c with text Web Application Proxy encountered an unexpected is logged in the Azure AD Application Proxy event log in Microsoft-AAD Application Proxy Connector event 12027.Event Viewer might show Microsoft-Windows-Kerberos-Key-Distribution-Center event 18 logged in the System event log.Users might see one or more of the errors below on impacted systems: Intermediate devices including Load Balancers performing delegated authentication.Internet Information Services (IIS) using Integrated Windows Authentication (IWA).Active Directory Federated Services (ADFS).Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO).Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD).Microsoft Impacted environmentsĪccording to Microsoft, affected environments might be using one of the following services or apps: Pure Azure Active Directory environments are not impacted by this issue. Important Kerberos delegation scenarios where a Kerberos client provides the front-end service with an evidence ticket are not impacted. Kerberos authentication will fail on Kerberos delegation scenarios that rely on the front-end service to retrieve a Kerberos ticket on behalf of a user to access a backend service. Microsoft said it's working on a resolution to address this Windows Server issue and estimates that it will provide a solution soon. The complete list of originating updates for this Windows Server known issue includes: "The authentication failures are a result of Kerberos Tickets acquired via S4u2self and used as evidence tickets for protocol transition to delegate to backend services which fail signature validation."
"After installing the November security updates, you might have authentication failures on servers relating to Kerberos Tickets acquired via S4u2self," Microsoft explains on the Windows health dashboard. The authentication issues prevent end-users in Active Directory on-premises or hybrid Azure Active Directory environments from signing into services or applications using Single Sign-On (SSO). The list of affected platforms also includes Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. These authentication issues impact systems running Windows Server 2019 and lower versions with certain Kerberos delegation scenarios.
after installing security updates released during the November Patch Tuesday. Microsoft says users might experience authentication issues on Domain Controllers (DC) running Windows Server.
Update November 15, 04:37 EST : Microsoft has released out-of-band updates to address the authentication issues on DCs running impacted Windows Server versions.