Kerberos authentication and ticket renewal issues on Windows Server 2012 R2 - Out-of-band

Applies to: Windows Server 2012 R2

Applies to:

  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)

Summary


This update resolves the following issue:

  • Addresses issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049, which was a part of the November 10, 2020 Windows update. The following issues might occur on writable and read-only domain controllers (DC) :

    • Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
    • Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
    • S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.

Known issues in this update


We are currently not aware of any issues that affect this update.

How to get this update


Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Prerequisites 

We strongly recommend that you install the latest servicing stack update (SSU) before you apply this update. The latest SSU for your version of Windows can be found in ADV990001 | Latest Servicing Stack Updates

File information


File verification


File attributes

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

References


For information on SSUs, see the following articles:

Learn about the terminology that Microsoft uses to describe software updates.