Last Updated: 3/17/15: Microsoft added this note to the MS15-027 post
V2.0 (March 16, 2015): To address a connectivity issue with update 3002657 when installed on supported editions of Windows Server 2003, Microsoft released update 3002657-v2 for all supported editions of Windows Server 2003. Customers who have not already installed the 3002657 update should install update 3002657-v2 to be fully protected from this vulnerability. To avoid the possibility of future detection logic problems, Microsoft recommends that customers running Windows Server 2003 who have already successfully installed the 3002657 update also apply update 3002657-v2 even though they are already protected from this vulnerability. Customers running other Microsoft operating systems are not affected by this rerelease and do not need to take any action. See Microsoft Knowledge Base Article 3002657 for more information.
The v1 KB3002657 update, which addresses issues in MS15-027, breaks authentication for some applications and devices that use NTLM for authentication. This includes SMB/SMB2/SMB3, used for file shares and NAS, and other clients. It can also break IIS integrated authentication, even if set to Basic per some reports. Your issues will vary depending on Domain Controller version, 2003 seems to be affected the most, and server OS. This vulnerability is also known as CVE-2015-0005.
Windows 2003 DCs using NTLM authentication is affected by this update. There have been reports of other OS versions being affected, but those have not been confirmed.
MS15-027: Vulnerability in NETLOGON Could Allow Spoofing:
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow spoofing if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system. The attacker must be logged on to a domain-joined system and be able to observe network traffic.
In most cases, after installing this update on a Windows 2003 DC, users will be prompted for authentication over and over, without success. With Exchange it seems to break OWA, Outlook Anywhere, and even mail delivery (server to server authentication) in some environments.
Workaround: Install v2 of KB3002657 or switch to Kerberos authentication if possible. Download v2: x86 | x64 | Itanium
See this articles for more details
I was 1st made aware of this issue on the Exchange 2013 Information Sharing Group on Facebook, but also came up in mailing list I follow. This update, KB3002657, causes authentication issues with SharePoint, Exchange, SQL, and more. Mainly it also breaks AD authentication against Windows 2003 domain controllers.
In addition, this update may break authentication with other systems\applications, for example the EMC Isilon and Dell FS Series NAS can fails to authenticate. Microsoft has included the following note on the KB:
SMB/SMB2/SMB3 clients may experience logon failures to an EMC Isilon cluster when they authenticate by using the NTLMSSP (NT LAN Manager Security Support Provider) provider. Data that resides on EMC Isilon clusters is unavailable to SMB/SMB2/SMB3 clients. This results in data unavailable (DU) failures. Authentication failures may also affect clients that try to access data through HTTP-based protocols such as RAN.
Workaround: Use the Kerberos protocol to authenticate Active Directory domain users.
We also had big issues with our Websense filtering application which uses ISA 2006, all users were getting a login prompt in IE and Chrome which denied them access even after entering their credentials. We also lost access to file shares and our in house HR web system, plus a whole host of sql access problems. I checked and we were using Kereberos I thought, but in some cases if this fails it defaults to ntlm, we removed the patch from our DC’s and it worked.
What OS version are your DC running?
Why are you still using ISA 2006 also? Its mainstream support ended in 1/2012. Just curious.
We have a 2003 native active directory and our ISA 2006 solution is being upgraded to websense cloud during the next six months.
So 2003 OS or Domain & forest mode on 2008+?
If running 2003 upgrade them also, 2003 is out of support also!
We run 2003 DC’s with 2008 Member servers single domain, we are starting a 2012 AD upgrade next month.
I’m running a 2012r2 DC and this update also broke shares and prompted users for authenitication to browse web.. Removed update, and all is fixed.
Thanks Erik, 1st confirmed reports of this issue on 2012 R2 DCs. Were the member servers 2003 by chance?
Yes, we still have 2 2003 member servers that will be removed this summer. All desktops win7.
They finally admitted it was an issue
Thanks for the update. Adding that info the post
no problem. I just applied that fix on my domain controller and it worked. 🙂
Pingback: KB3002657 v2 release for Windows 2003 – Fixes authentication issues on 2003 DCs | Jason (Izzy) Sherry's Blog
Pingback: Weekly IT Newsletter – March 9-13, 2015 | Just a Lync Guy