Windows security updates that were distributed last week as part of the security patch day have apparently caused new problems on some systems in corporate environments – namely when authenticating with Kerberos.

Microsoft has made improvements and updates for Windows Server 2004 (/ R2), 2016, 2019, 1903 / 1903 and 2004/20 H2 provided to fix the problem. The updates are optional: admins do not get them via WSUS, but can download them manually from Microsoft’s update catalog if necessary.

DCs and RODCs potentially affected The problems are caused by updates that fix the CVE gap – 2020 – 17049, should close. According to Microsoft’s advisory on CVE – 2020 – 17049 enabled these attackers to circumvent the security mechanisms of the Kerberos Key Distribution Center (KDC) under certain conditions. The way in which the vulnerability was originally eliminated caused various problems with Kerberos authentication and renewing the tickets used by the Kerberos service on some domain controllers (DCs) and read-only domain controllers (RODCs).

Affected versions and downloads Further details on the fixes can be found below linked support articles for the affected Windows servers -Versions can be found. Microsoft also recommends that you ensure that the latest Servicing Stack Update (SSU) has been installed before updating.

Windows Server 2012: KB 4594438 (Download Update) Windows Server 2012 R2: KB 4594439 (Download Update) Windows Server 2016: KB 4594441 (Download Update) Windows Server 2019: KB 4594442 (Download Update) Windows Server version 1903 / 1909: KB 4594443 (Download Update) Windows Server version 2004 / 20 H2: KB 4594440 (Download Update) Latest Servicing Stack Updates (overview) (ovw)