MS Update KB2871997 caused problems with Kerberos

(imported topic written by jgstew)

KB2871997 caused issues with Kerberos in our environment. Before the Update users could log in with just their username, after the update it required username@domain.tld which is a big problem for us.


This appears to only happen on machines that have both KB2871997 as well as this optional hotfix installed:

Related Custom Content:

I have published a task “
Rollback Patch Task: KB2871997 - Fix potential Kerberos problem - Windows7+
” here:

In a related note, I published a task “
Configuration: Enable Kerberos Logging - Windows
” here:

In a less related note, I published an analysis “
Client Clock Audit - Kerberos
” here:

(imported comment written by d.limanov)

Can you please elaborate? Local users were unable to login, or domain? And via interactive login or login via Remote Desktop or psexec/named pipes/admin share?


(imported comment written by jgstew)

Domain users could not login on the physical machine using just their “username” with the default domain for login defined, they instead had to login using “username@domain.tld” at the login windows. “domain.tld\username” did not work either.

RDP did not seem to be affected.

This did not seem to affect ALL machines with the patch installed, but a lot of them. We are still investigating the root cause. We are using MIT Kerberos for authentication.

To be clear, this is a microsoft update problem… it has nothing to do with IBM. It did not matter if the machines with the problem had the patch installed through WSUS or Windows Update or BigFix/IEM.

(imported comment written by d.limanov)

Thanks! This line worries me greatly but I guess other items have equal potential of borking things on both workstations and servers.

  • Credential cleanup in LSA
  • This feature reduces the attack surface of domain credentials in the LSA. Changes to this feature include: prevent network logon and remote interactive logon to domain-joined machine using local accounts, restrict logon credential cache to logon lifetime, restrict Kerberos/NTLM/Digest/CredSSP supplied credential cache, restrict Kerberos cache of plain text password, do not cache logon credential in CredSSP unless Credentials Delegation policy allows, and restrict use of logon credential for Digest.

(imported comment written by jgstew)

I could see why that would be concerning. I never tried a local account on a machine with the KB installed.

(imported comment written by jgstew)

Not all computers were affected with this issue, but a large percentage. The current theory is that there are updates applied to the broken systems that were not applied to the working ones and the combination is causing the issue.

This is related: