How can we help you today?
Blank Shares with SSO Login caused by Windows Update
This incident occured in November of 2011, with a patch in late November and final fixes in the roll up releases for December and January. As of Summer 2022 no further incidents of this have occured nor are any expected, as the updates that caused it are no longer current.
We retain this article for archival purposes, but it is not an active incident nor a common cause of share issues with MyWorkDrive.
Note: Microsoft released a fix with the December Cumulative update
Per the Micosoft Update Catalog, out-of-band update KB5008601 (2016) has been superceded by the December CU KB5008207. Out-of-band update KB5008602 (2019) has been superseded by December CU KB5008218. So you can skip the out-of-band update and go right to the December cumulative update.
If you’ve either Installed the November Update and are experiencing issues logging in with SSO, the December CU will resolve the issue.
If you have not installed any updates, the December CU will provide the update without causing an issue for SSO logins.
Problem Description
An update released by Microsoft on 9 November as part of Patch Tuesday contained a flaw that broke Kerberos Authentication which is used by many SSO products including MyWorkDrive when the update is installed on Domain Controllers. It was in response to CVE-2021-42287
Impacted clients will experience Web Client logins showing no available shares after login, and Map Drive clients failing to login and reporting “No Shares Provisioned” or a “User Not Found” error (depending on Map Drive client version).
Details on the flaw and flaw resolution are available here
https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2019#2748msgdesc
The issue is only present when the update is installed on Domain Controllers. Installing/removing from MyWorkDrive servers and File Servers has no bearing on the issue.
Updated patches were released on 14 November to fix the issue in the earlier flawed updates and should be installed on domain controllers. They must be manually downloaded and installed, they are not supplied by Microsoft Update.
KB5008602 for Server 2019:
KB5008601 for Server 2016:
The original updates which cause the issue are:
KB5007206 for server 2019.
https://support.microsoft.com/en-us/topic/november-9-2021-kb5007206-os-build-17763-2300-c63b76fa-a9b4-4685-b17c-7d866bb50e48
KB5007192 for server 2016
https://support.microsoft.com/en-us/topic/november-9-2021-kb5007192-os-build-14393-4770-f534a33a-ed00-4bd2-8248-9424c53e9bde
If either of those is installed on your domain controllers, you need to either remove them or install the patch linked above to correct the issue.
If your domain controllers are not 2016/2019, links for the update and patch for other versions of windows can be found here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
Server 2008, 2008r2, 2012 and 2012r2 are all impacted.
Identifying a DC with the bug
The EventIDs that indicate a Domain Controller has the update, but not the fix, include
Event Source | Kdcsvc |
Event ID | 35 |
Event Text | The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (“<KDC Name>”) that did not contain a PAC attributes field. |
Event Source | Kdcsvc |
Event ID | 36 |
Event Text | The Key Distribution Center (KDC) encountered a ticket that did not contain a PAC while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. Client: <Domain Name>\<User Name> Ticket for: <Service Name> |
Event Source | Kdcsvc |
Event ID | 37 |
Event Text | The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. Ticket PAC constructed by: <KDC Name> Client: <Domain Name>\<Client Name> Ticket for: <Service Name> |
Event ID | 38 |
Event Text | The Key Distribution Center (KDC) encountered a ticket that contained inconsistent information about the account that requested the ticket. This could mean that the account has been renamed since the ticket was issued, which may have been part of an attempted exploit. Ticket PAC constructed by: <Kdc Name> Client: <Domain Name>\<User Name> Ticket for: <Service Name> Requesting Account SID from Active Directory: <SID> Requesting Account SID from Ticket: <SID> |
Unlike some flaws in Microsoft patches/updates, this is not a case of you may be impacted. You will be imapacted if you use SSO and install the Windows Updates without installing the patch to fix it.
If you find blank shares when using SSO, while domain credential logins show shares, first check that you have correctly enabled delegation. If Delegation is correctly enabled then double check your domain controller to see if the KB associated with the update are installed. If so, install the Patches to resolve the issue.