Problems with Kerberos double hop after installing Windows Server update November 9, 2021

[Tracy Briscoe]

Hi All

 

FYI, we’ve had issues with Kerberos double hop authentication after installing this month’s Windows update on our domain controllers.

The cumulative update includes KB5008380.

 

We’ve had to roll back the update for the moment.

 

Regards,

 

Tracy Briscoe
Senior Network and Systems Engineer

St Peter’s School, Cambridge

Note: This communication may contain privileged and confidential information intended only for the addressee named above. Any views or opinions presented are solely those of the author. If you have received this message in error, we request you delete the message and notify the sender. Please do not distribute, copy or disclose any information. This e-mail has been scanned for viruses but all liability for viruses or similar in any attachment or message is excluded.

St Peter's, Cambridge, New Zealand
Telephone: +64 7 827 9899
Website: www.stpeters.school.nz

Please consider the environment before printing this email

[Ben Green]

Thanks for the heads up.

Did you hit the issue noted here...

https://docs.microsoft.com/en-ca/windows/release-health/status-windows-10-1809-and-windows-server-2019#2748msgdesc

... or something else?

- Ben.

---

From: techies-f...@googlegroups.com <techies-f...@googlegroups.com> on behalf of Tracy Briscoe <Tra...@stpeters.school.nz>
Sent: Thursday, 11 November 2021 8:54 PM
To: 'techies-f...@googlegroups.com' <techies-f...@googlegroups.com>
Subject: [techies-for-schools] Problems with Kerberos double hop after installing Windows Server update November 9, 2021

 

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/e35ab3011b964947bac6570bc0152604%40stpeters.school.nz.

Christchurch Boys' High School phone: +64 3 348 5003 address: 71 Straven Road, Riccarton, Christchurch 8014 postal: PO Box 8157, Riccarton, Christchurch 8440 web: www.cbhs.school.nz

[Tracy Briscoe]

HI Ben

 

We’ve seen two scenarios:

1. Domain joined window client -> web server (IIS) -> back end servers (MS SQL and file server)
2. BYOD/external client -> Web Application Proxy (WAP) -> web server -> back end servers (MS SQL/file server/Exchange Mail server)

 

The second scenario is covered by the known issue you’ve posted the link to. 

However the first does not appear to be covered, unless the webserver is doing an authentication protocol translation we don’t know about.

 

Regards,

 

Tracy Briscoe
Senior Network and Systems Engineer

St Peter’s School, Cambridge

 

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/SYBPR01MB5472574EFCC52B00D86DB9A8DB969%40SYBPR01MB5472.ausprd01.prod.outlook.com.

[Alistair Baird]

I applied the No-11 Rollup KB5007192 on Thursday to our DC's and no problem. Applied it to our print server on Friday night, and although it all looked good remotely, users were "disallowed" this morning - had to roll the update back on the printer server and all was good.

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/a58ee81c70df453e9e81c68936efc339%40stpeters.school.nz.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 482 937

e bai...@stpeterspn.school.nz

[Tracy Briscoe]

One thing to note is that for us the issues didn’t occur until the user had new Kerberos tickets.

Hence users who have logged on before the DCs were updated were able to access resources, where as those who logged on afterwards had issues.  By default Kerberos tickets expire after 10 hours, and can be renewed for up to 7 days.