Thanks for sharing.
I already banged my head for hours.
The DCs in the affected environment are on Server 2012 R2, is there anout-of-band update for 2012 R2?
On the target DCs you see this in the logs:
A Kerberos service ticket was requested.
Account Information:
Account Name: AzAppProxyHost$@DOMAIN.LOCAL
Account Domain: DOMAIN.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name: HTTP/host.domain.local
Service ID: S-1-0-0
Network Information:
Client Address: ::ffff:10.10.xx.xx
Client Port: 49837
Additional Information:
Ticket Options: 0x40830000
Ticket Encryption Type: 0xFFFFFFFF
Failure Code: 0x29
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
Failure Code: 0x29:
0x29 KRB_AP_ERR_MODIFIED Message stream modified and checksum didn't match
Regards, Flo.