Server 2012 R2 std. generates Event id 37 Kerberos-Key-Distribution-Center log every 5-10 mins after applied Nov-2021 win update & kb5008603

EcoAxis 356 Reputation points
2021-11-17T09:05:20.173+00:00

After installed KB890830 and KB5007247 on two DC, Microsoft-Windows-Kerberos-Key-Distribution-Center warning log is triggered nearly every 5 mins.

Also installed below fix manually.
https://support.microsoft.com/en-us/topic/kb5008603-authentication-fails-on-domain-controllers-in-certain-kerberos-scenarios-on-windows-server-2012-r2-1beea7a1-9a3c-48dd-a56d-c3cc3f5d0d50

Bus still appears those log
150095-temp1.jpg

Please advise how to fix. Thanks.

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,526 questions
Accepted answer
  1. Leon Laude 85,646 Reputation points
    2021-11-17T09:22:32.617+00:00

    Hi @EcoAxis ,

    There is a mentioning of authentication failures with certain Kerberos delegation scenarios over here:
    https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2019#2748msgdesc

    I suggest installing the latest November updates and check if it fixes the issue.

    Here's an article about this:
    https://www.bleepingcomputer.com/news/microsoft/new-microsoft-emergency-updates-fix-windows-server-auth-issues/

    Here's also another forum thread about this:
    https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019

    ----------

    If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

    Best regards,
    Leon

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. EcoAxis 356 Reputation points
    2021-11-19T03:25:45.373+00:00

    Both DC has installed with latest windows update and installed kb5008603 manually.

    Event id 37 Kerberos-Key-Distribution-Center warning log were gone after those client computers were turned on next day. Found that log record were related to different client computer. So it liked that appeared every several minutes. Actually, every client computer name are triggered in every hour. (Not every several minutes)

    Also found that less event ID 37 log were still appeared next day as those clients were not power off PC after work. The warning log won't appear again after restarted those client computers.

    But still have another Event ID 35 warning log. It's related to both DC only.

    Same issue as
    https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019

    150870-app2.png

  2. StephanG 811 Reputation points
    2021-11-22T19:10:19.907+00:00

    This is described here:
    https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

    Like many patches of Microsoft lately - this patch needs action after installing it.

    1. Update all devices that host the Active Directory domain controller role by installing the November 9, 2021 update.
    2. After the November 9, 2021 update has been installed on all Active Directory domain controllers for at least 7 days, we strongly suggest that you enable Enforcement mode on all Active Directory domain controllers.
    3. Starting with the July 12, 2022 Enforcement Phase update, Enforcement mode will be enabled on all Windows domain controllers and will be required.

    So these warnings are normal until all your DCs has the enforcement mode enabled. Or it is forced on July.

    As it is rolled out like this - this seems to need some testing beforehand ;)

    0 comments
  3. JORGE COLMENARES 1 Reputation point
    2021-11-23T14:30:52.367+00:00

    Hello, I have the same issue, someone know a fix to remediate this situation?