Warning: KB3002657 can break authentication, with Exchange and other apps & devices


Last Updated: 3/17/15: Microsoft added this note to the MS15-027 post

V2.0 (March 16, 2015): To address a connectivity issue with update 3002657 when installed on supported editions of Windows Server 2003, Microsoft released update 3002657-v2 for all supported editions of Windows Server 2003. Customers who have not already installed the 3002657 update should install update 3002657-v2 to be fully protected from this vulnerability. To avoid the possibility of future detection logic problems, Microsoft recommends that customers running Windows Server 2003 who have already successfully installed the 3002657 update also apply update 3002657-v2 even though they are already protected from this vulnerability. Customers running other Microsoft operating systems are not affected by this rerelease and do not need to take any action. See Microsoft Knowledge Base Article 3002657 for more information.

Download KB3002657 v2 here: x86 | x64 | Itanium

The v1 KB3002657 update, which addresses issues in MS15-027,  breaks authentication for some applications and devices that use NTLM for authentication. This includes SMB/SMB2/SMB3, used for file shares and NAS, and other clients. It can also break IIS integrated authentication, even if set to Basic per some reports. Your issues will vary depending on Domain Controller version, 2003 seems to be affected the most, and server OS.  This vulnerability is also known as CVE-2015-0005.

Windows 2003 DCs using NTLM authentication is affected by this update. There have been reports of other OS versions being affected, but those have not been confirmed.

MS15-027: Vulnerability in NETLOGON Could Allow Spoofing:

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow spoofing if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system. The attacker must be logged on to a domain-joined system and be able to observe network traffic.

In most cases, after installing this update on a Windows 2003 DC, users will be prompted for authentication over and over, without success. With Exchange it seems to break OWA, Outlook Anywhere, and even mail delivery (server to server authentication) in some environments.

Workaround: Install v2 of KB3002657 or switch to Kerberos authentication if possible. Download v2: x86 | x64 | Itanium

See this articles for more details

I was 1st made aware of this issue on the Exchange 2013 Information Sharing Group on Facebook, but also came up in mailing list I follow. This update, KB3002657, causes authentication issues with SharePoint, Exchange, SQL, and more. Mainly it also breaks AD authentication against Windows 2003 domain controllers.

In addition, this update may break authentication with other systems\applications, for example the EMC Isilon and Dell FS Series NAS can fails to authenticate. Microsoft has included the following note on the KB:

SMB/SMB2/SMB3 clients may experience logon failures to an EMC Isilon cluster when they authenticate by using the NTLMSSP (NT LAN Manager Security Support Provider) provider. Data that resides on EMC Isilon clusters is unavailable to SMB/SMB2/SMB3 clients. This results in data unavailable (DU) failures. Authentication failures may also affect clients that try to access data through HTTP-based protocols such as RAN.

Workaround: Use the Kerberos protocol to authenticate Active Directory domain users.

About jasonsherry

I am a 20 year Exchange consultant and expert. I currently work for Commvault as a Solutions Specialist for Microsoft Infrastructure For more info see my resume at: http://jasonsherry.org
This entry was posted in Exchange, SharePoint, Technical, Windows and tagged , , , , . Bookmark the permalink.

13 Responses to Warning: KB3002657 can break authentication, with Exchange and other apps & devices

  1. peter stringer says:

    We also had big issues with our Websense filtering application which uses ISA 2006, all users were getting a login prompt in IE and Chrome which denied them access even after entering their credentials. We also lost access to file shares and our in house HR web system, plus a whole host of sql access problems. I checked and we were using Kereberos I thought, but in some cases if this fails it defaults to ntlm, we removed the patch from our DC’s and it worked.

    Like

    • jasonsherry says:

      What OS version are your DC running?

      Why are you still using ISA 2006 also? Its mainstream support ended in 1/2012. Just curious.

      Like

      • peter stringer says:

        We have a 2003 native active directory and our ISA 2006 solution is being upgraded to websense cloud during the next six months.

        Like

      • jasonsherry says:

        So 2003 OS or Domain & forest mode on 2008+?

        If running 2003 upgrade them also, 2003 is out of support also!

        Like

  2. peter stringer says:

    We run 2003 DC’s with 2008 Member servers single domain, we are starting a 2012 AD upgrade next month.

    Like

  3. Erik says:

    I’m running a 2012r2 DC and this update also broke shares and prompted users for authenitication to browse web.. Removed update, and all is fixed.

    Like

  4. Pingback: KB3002657 v2 release for Windows 2003 – Fixes authentication issues on 2003 DCs | Jason (Izzy) Sherry's Blog

  5. Pingback: Weekly IT Newsletter – March 9-13, 2015 | Just a Lync Guy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s