The new Microsoft Emergency Updates fix Windows Server authentication problems


Microsoft has released out-of-band updates to address authentication errors related to Kerberos delegation scenarios that affect domain controllers (DCs) running supported versions of Windows Server.

On affected systems, end users cannot access services or applications using Single Sign-On (SSO) in on-premises Active Directory or hybrid Azure Active Directory environments.

These issues affect systems running Windows Server 2019 and earlier, including Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

The emergency updates address “a known issue that could cause authentication errors related to Kerberos tickets acquired by Service for User to Self (S4U2self),” an announcement from Microsoft explained Sunday.

“This problem occurs after installing the November 9, 2021 security updates on domain controllers (DCs) running Windows Server.”

The full list of out-of-band updates released by Microsoft over the weekend includes:

How to deploy OOB updates

You will not be able to install these emergency updates through Windows Update and they will not be automatically installed on affected domain controllers.

To download the standalone update package, you’ll need to search for them in the Microsoft Update catalog (you can also use the download links above).

You can manually import this update into Windows Server Update Services (WSUS) using the instructions in Microsoft Update Catalog.

When Microsoft confirmed these issues on Thursday, the company said that users may see one or more of the following errors on the affected systems:

  • Event Viewer may show Microsoft Windows Kerberos Key Distribution Center event 18 logged in the system event log
  • Error 0x8009030c with text Web Application Proxy encountered an unexpected event logged in the Azure AD Application Proxy event log in Microsoft-AAD Application Proxy Connector event 12027
  • Network traces contain the following signature similar to the following:
    • 7281 24:44 (644) 11/10/2/12 KerberosV5 KerberosV5: TGS Request Area: CONTOSO.COM Name: http /
    • 7282 7290 (0). CONTOSO.COM


Please enter your comment!
Please enter your name here