Microsoft fixes Kerberos-related authentication issues in Windows Server

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Microsoft has issued out-of-band (OOB) updates to address authentication failures on domain controllers that run all currently supported editions of Windows Server.

According to the security advisory, the updates address an issue that causes authentication failures related to Kerberos tickets that have been acquired from Service for User to Self (S4U2self).

Importantly, the issue only manifests itself on Windows Server installations that are running the security updates released on November 9, 2021.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

Microsoft has released OOB updates to address the issue in Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008.

OOB updates

As per BleepingComputer, while putting out the advisories, Microsoft also shared the multiple ways the issue might present itself, depending on the configuration and version of your Windows Server installation. 

It adds that users of the affected systems will not be able to install these OOB emergency updates through the Windows Update service, nor will they be able to install them automatically on the affected domain controllers.

Instead, users will have to search for the updates in the Microsoft Update catalog and download the standalone update packages for their respective Windows Server installation.

Importantly, Microsoft has confirmed that the issue doesn’t impact Kerberos delegation scenarios where a Kerberos client provides the front-end service with an evidence ticket. Furthermore, pure Azure Active Directory environments are immune as well.

If you’re looking for a server, these are the best small business servers currently available

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.