KB2871997 caused issues with Kerberos in our environment. Before the Update users could log in with just their username, after the update it required username@domain.tld which is a big problem for us.
Can you please elaborate? Local users were unable to login, or domain? And via interactive login or login via Remote Desktop or psexec/named pipes/admin share?
Domain users could not login on the physical machine using just their “username” with the default domain for login defined, they instead had to login using “username@domain.tld” at the login windows. “domain.tld\username” did not work either.
RDP did not seem to be affected.
This did not seem to affect ALL machines with the patch installed, but a lot of them. We are still investigating the root cause. We are using MIT Kerberos for authentication.
To be clear, this is a microsoft update problem… it has nothing to do with IBM. It did not matter if the machines with the problem had the patch installed through WSUS or Windows Update or BigFix/IEM.
Thanks! This line worries me greatly but I guess other items have equal potential of borking things on both workstations and servers.
Credential cleanup in LSA
This feature reduces the attack surface of domain credentials in the LSA. Changes to this feature include: prevent network logon and remote interactive logon to domain-joined machine using local accounts, restrict logon credential cache to logon lifetime, restrict Kerberos/NTLM/Digest/CredSSP supplied credential cache, restrict Kerberos cache of plain text password, do not cache logon credential in CredSSP unless Credentials Delegation policy allows, and restrict use of logon credential for Digest.
Not all computers were affected with this issue, but a large percentage. The current theory is that there are updates applied to the broken systems that were not applied to the working ones and the combination is causing the issue.