Discovery Search returns no results post Windows KB5007206 patch
This is an emerging issue. Please check back for the most up-to-date information.
Issue
On November 9, 2021, Microsoft released a Windows Server patch KB5007206. In this update, Microsoft acknowledged there is a known issue that affects Windows Servers and Kerberos authentication. As Discovery Search uses Kerberos authentication for single-sign-on and user impersonation, Discovery Search may return no results for users once this update has been applied as Kerberos was effectively broken.
After installing the November security updates, released November 9, 2021 on your Domain Controllers (DC) that are running a version of Windows Server, you might have authentication failures on servers relating to Kerberos Tickets acquired via S4u2self. The authentication failures are a result of Kerberos Tickets acquired via S4u2self and used as evidence tickets for protocol transition to delegate to backend services which fail signature validation. Kerberos authentication will fail on Kerberos delegation scenarios that rely on the front-end service to retrieve a Kerberos ticket on behalf of a user to access a backend service. Important Kerberos delegation scenarios where a Kerberos client provides the front-end service with an evidence ticket are not impacted. Pure Azure Active Directory environments are not impacted by this issue.
End users in your environment might be unable to sign into services or applications using Single Sign On (SSO) using Active Directory on-premises or in a hybrid Azure Active Directory environment. Updates installed on the client Windows devices will not cause or affect this issue.
Affected environments might be using the following:
Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO)
Active Directory Federated Services (ADFS)
Microsoft SQL Server
Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
Intermediate devices including Load Balancers performing delegated authentication
You might receive one or more of the following errors when encountering this issue:
Event Viewer might show Microsoft-Windows-Kerberos-Key-Distribution-Center event 18 logged in the System event log
Error 0x8009030c with text Web Application Proxy encountered an unexpected is logged in the Azure AD Application Proxy event log in Microsoft-AAD Application Proxy Connector event 12027
Network traces contain the following signature similar to the following:
7281 24:44 (644) 10.11.2.12 <app server hostname>.contoso.com KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.COM Sname: http/xxxxx-xxx.contoso.com
7282 7290 (0) <hostname>. CONTOSO.COM <IP address of the application server making the TGS request>
How to check if KB5007206 or KB5008602 have been installed on a system
Check KB5007206
Open Windows Command Prompt (cmd.exe)
Run the following command:
wmic qfe | find "KB5007206"Check KB5008602
Open Windows Command Prompt (cmd.exe)
Run the following command:
wmic qfe | find "KB5008602"Solution
Microsoft notes that the issue has been resolved in KB5008602 (November 14, 2021).
KB5008602 needs to be applied to:
All machines running Discovery Search in IIS
All Domain Controllers
Restart all affected servers once KB5008602 has been applied