1

I have a Sharepoint 2019 on-premise running with Kerberos Authentication through ADFS Non-Claims Aware Relying party trust behind WAP. i have update the SSL certificate on all the sharepoint server farm and ADFS and WAP, now if i go through WAP and ADFS i am able to authenticate but after authentication sharepoint throws 500 error.

can any one tell how to update the Certificate properly on WAP and ADFS and also Sharepoint.

  1. I am using ADFS(Non-Claims Aware Relying party Trust) and WAP in front of the SP19 and ADFS and WAP are installed with new Certificate and i am able to get the login screen from ADFS with New Certificate.
  2. the SharePoint Pages are working if i login directly pointing the sharepoint IP, using Windows Authentication Popup.

Troubleshoot:-

  1. The connection between WAP and ADFS Proxy working fine.
  2. ADFS is able to Authenticate with my DC,
  3. Once Authentication completed, i am getting Error 500 the below Screen,
  4. Browser Inspect shows nothing useful
  5. Event Error found with the event ID 12027 on the WAP Server Unable to retrieve Kerberos Ticket for the User.
T.Anand
  • 463
  • 2
  • 6
  • 19
  • 1
    Can you please have a look at the WAP Server logs, i think this could be related to the Kerberos Ticket, and then let me know the error if any with the event ID 12027 – karhtik Nov 27 '21 at 15:16
  • 1
    you are right, i am able to see the event Error ID 12027. and is related to Kerberos Ticket issue. – T.Anand Nov 27 '21 at 15:49

1 Answers1

1

This Kerberos Ticket Issue is because of the Novemeber Windows patch Update on the domain controller.

"After installing the November security updates, released November 9, 2021 on your Domain Controllers (DC) running a Windows Server versions listed below in affected platforms, you might have authentication failures on servers relating to Kerberos Tickets"

Affected environments might be using the following:

  • Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
  • Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO)
  • Active Directory Federated Services (ADFS)
  • Microsoft SQL Server
  • Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
  • Intermediate devices including Load Balancers performing delegated authentication

Resolution: This issue was resolved in the out-of-band update KB5008602 released November 14, 2021. It is a cumulative update, so you do not need to apply any previous update before installing it. To get the standalone package for KB5008602, search for it in the Microsoft Update Catalog. You can import this update into Windows Server Update Services (WSUS) manually. See the Microsoft Update Catalog for instructions. Note KB5008602 is not available from Windows Update and will not install automatically.

Source - https://learn.microsoft.com/en-ca/windows/release-health/status-windows-10-1809-and-windows-server-2019#issue-details

karhtik
  • 506
  • 3
  • 15
  • This is worked, once i updated the DC with the mentioned KB, i am able to get the Kerberos ticket from the DC and able to authenticate, thank you – T.Anand Dec 03 '21 at 16:40