A systems administrator applies the latest monthly security patches to a domain controller (DC1). Immediately after DC1 reboots, users report that they can no longer log in to a legacy, in-house web application hosted on a member server (APP1). The application returns an authentication error. The administrator confirms that users can still access file shares on APP1 and that their domain accounts are not locked. Which of the following is the MOST likely cause of this issue?
A firewall rule, modified by the update on DC1, is now blocking authentication traffic from APP1.
The system time on APP1 is out of sync with DC1, exceeding the Kerberos maximum time skew.
The application's service account permissions were reset during the domain controller's patching process.
The security update on DC1 disabled a legacy authentication protocol required by the application.
The correct answer is that the security update on DC1 likely disabled a legacy authentication protocol that the application requires. This is a classic example of a downstream failure, where an update to an upstream server (the domain controller) causes a failure in a dependent service (the legacy application). Security patches frequently disable older, less secure protocols (like NTLMv1, TLS 1.0, or weak ciphers) to improve security. If a legacy application is hardcoded to use one of these deprecated protocols, its authentication will fail after the server it relies on is updated.
Clock skew between the servers is a common cause of Kerberos authentication failures, but it is less likely to be caused directly by a patch installation. Furthermore, the fact that other domain services like file shares are working suggests Kerberos itself is functioning correctly.
While a patch could theoretically alter firewall rules, it is uncommon for a standard security update to block well-known authentication ports. It's more likely to address vulnerabilities at the protocol level.
Application service account permissions are generally not altered by automated OS patch installations; such a change would typically require manual intervention by an administrator.