Last Updated: 3/17/15: Microsoft added this note to the MS15-027 post

V2.0 (March 16, 2015): To address a connectivity issue with update 3002657 when installed on supported editions of Windows Server 2003, Microsoft released update 3002657-v2 for all supported editions of Windows Server 2003. Customers who have not already installed the 3002657 update should install update 3002657-v2 to be fully protected from this vulnerability. To avoid the possibility of future detection logic problems, Microsoft recommends that customers running Windows Server 2003 who have already successfully installed the 3002657 update also apply update 3002657-v2 even though they are already protected from this vulnerability. Customers running other Microsoft operating systems are not affected by this rerelease and do not need to take any action. See Microsoft Knowledge Base Article 3002657 for more information.

Download KB3002657 v2 here: x86 | x64 | Itanium

The v1 KB3002657 update, which addresses issues in MS15-027,  breaks authentication for some applications and devices that use NTLM for authentication. This includes SMB/SMB2/SMB3, used for file shares and NAS, and other clients. It can also break IIS integrated authentication, even if set to Basic per some reports. Your issues will vary depending on Domain Controller version, 2003 seems to be affected the most, and server OS.  This vulnerability is also known as CVE-2015-0005.

Windows 2003 DCs using NTLM authentication is affected by this update. There have been reports of other OS versions being affected, but those have not been confirmed.

MS15-027: Vulnerability in NETLOGON Could Allow Spoofing:

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow spoofing if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system. The attacker must be logged on to a domain-joined system and be able to observe network traffic.

In most cases, after installing this update on a Windows 2003 DC, users will be prompted for authentication over and over, without success. With Exchange it seems to break OWA, Outlook Anywhere, and even mail delivery (server to server authentication) in some environments.

Workaround: Install v2 of KB3002657 or switch to Kerberos authentication if possible. Download v2: x86 | x64 | Itanium

See this articles for more details

• http://www.infoworld.com/article/2895900/security/microsoft-netlogon-patch-kb-3002657-woes-continue-kb-3032359-cisco-anyconnect-fix-confirmed.html
• http://www.infoworld.com/article/2895022/security/problems-reported-with-microsoft-patch-kb-3002657-and-a-warning-on-kb-3046049.html
• https://www.pickysysadmin.ca/2015/03/11/kb3002657-breaks-everything/
• http://milcinoski.blogspot.com/2015/03/issues-reported-with-microsoft-patch-kb.html
• http://serverfault.com/questions/674541/has-march-2015-patch-tuesday-broken-2003-shares

I was 1st made aware of this issue on the Exchange 2013 Information Sharing Group on Facebook, but also came up in mailing list I follow. This update, KB3002657, causes authentication issues with SharePoint, Exchange, SQL, and more. Mainly it also breaks AD authentication against Windows 2003 domain controllers.

In addition, this update may break authentication with other systems\applications, for example the EMC Isilon and Dell FS Series NAS can fails to authenticate. Microsoft has included the following note on the KB:

SMB/SMB2/SMB3 clients may experience logon failures to an EMC Isilon cluster when they authenticate by using the NTLMSSP (NT LAN Manager Security Support Provider) provider. Data that resides on EMC Isilon clusters is unavailable to SMB/SMB2/SMB3 clients. This results in data unavailable (DU) failures. Authentication failures may also affect clients that try to access data through HTTP-based protocols such as RAN.

Workaround: Use the Kerberos protocol to authenticate Active Directory domain users.