This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 97%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Yesterday, I installed the November 9, 2021 update KB5007192 on my Windows Server 2016 test network (2 DCs, 2 E2K16, 2 SP2016, 1 OOS, 2 SQL2016, and 1 Windows 10 21H1) with no 3rd party products, no public facing platforms including email. So, pretty simple setup.
I then installed on the DCs only the the November 14, 2021 emergency out-of-band update KB5008601.
Neither DC has the PacRequestorEnforcement registry key. The key does not exist. QUESTIONS: Is the key supposed to exist or are we supposed to add it? (KB5008380 on the Kerberos TGT PAC changes in November 9, 2021 update is confusing and lacks adequate guidance.) If we are supposed to add the key, are we supposed to add it *just to the DCs *or to all clients (all member servers, workstations) too?
Event IDs 35 (PAC without attribute) and 37 (Ticket without Requestor) as described in KB5008380 (https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) started after the Nov 9 update and *continue after the Nov 14 update. (I assume events are not related to Nov 9 authentication bug, and no authentication errors that I can see in the Security (or App or System) logs on the DCs or clients, but I installed Nov 14 update anyway.)
Oddly, on *each DC I am getting Event 35 about both DCs (the other DC *and the DC generating the event). I am getting Event 37 about all the clients (member servers and the W10 machine) plus SharePoint service accounts (AD farm, service apps accounts), SQL service account (AD account running the SQL service), SQL Cluster$ account, and Exchange Health Mailboxes. (Geez, the Health Mailboxes !?)
I searched online and found two other posts reporting the same events, one for Windows Server 2012 R2 (https://learn.microsoft.com/en-us/answers/questions/630388/server-2012-r2-std-generates-event-id-37-microsoft.html) and one for Windows Server 2019 (https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019). The first poster with W2K12 R2 also installed the Nov 14th update. No definitive answers last I checked the posts; just guesses and surmises.
QUESTIONS: Are Events 35 and 37 occurring because the PacRequestorEnforcement registry key does not exist? Will the events resolve if we add the registry key with a value of 1? And if yes, do we add the registry key to DCs only, or to all domain-joined Windows machines? What if the events continue after adding the registry key, then what? I mean, geez, are we going to have an issue with SharePoint, OOS, SQL, and Exchange? They are pretty much set up the way Microsoft SharePoint, OOS, and Exchange teams tell us to set them up. SP uses Constrained Delegation (any protocol) for some service apps, and claims authentication for web apps. Exchange setup is strictly by using Microsoft Exchange team guidance. I didn't find anything online from those teams on this update, did I miss posts?
It would be great to have definitive answers to my questions, and much better instructions and guidance from Microsoft. Definitely going to wait before installing updates on production environment.
Thanks,
Joan
I have 2 of 5 domain controllers are still 2016 and one has these events 35, 37. Only one has the KB5007192 update. I'm patching the second one right now so will be able to let you know more shortly.
So much for shortly. I now need to patch them all so this will take it into tomorrow.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 75%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi
It is a month after all our DCs patched with November 9 patch and restarted, and 4 days after patched and restarted with December 14 patch - all DCs are Windows 2016.
But even today, we are still get many 35 + 37 events of some users accounts and of few Cluster computer accounts.
Tickets that were generated by and logged by multiple DCs.
Our maximum lifetime for Kerberos tickets are MS defaults. So maximum lifetime for user ticket renewal is one week, so I simply not sure what's going on here.
Any official words from Microsoft on this matter?
Its now looking like the events 35, 37 will go away as the members get patched.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Sorry for delay in responding back, I was on vacation all last week.
I just checked this morning and saw that both events 35 and 37 have *not occurred for "7 days" (Event Viewer Summary pane). Details: I installed the emergency patch 5008601 on DC1 on 11/17 (reboot 11:57 PM) and DC2 on 11/18 (reboot 12:29 AM). The events stopped on 11/24 at 2:47 PM and 12:56 PM respectively. I include the times to show it's not exactly 7 days from reboot time to time the events stopped. The DCs have not rebooted since the emergency patch reboot; this indicates the reason for the events stopping is not reboots. (And I checked the registry, the key has not magically appeared.) Remember, all member servers and W10 had the 11/9 update installed by or on 11/18 and none have the emergency patch.
Currently I have no clue as to why the events stopped.
Joan
Most likely the rest of domain members have been patched as well.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
ALL domain members were patched by or on 11/18, *as I noted in my post and reply. I'm the one who patched them ALL. No correlation between last member patched time and events stopping; there's a 6+ day difference.
Hi there,
You will get the registry in the Second deployment.
These Windows Updates will be released in three phases:
Initial deployment – Introduction of the update, as well as the PacRequestorEnforcement registry key
Second deployment – Removal of PacRequestorEnforcement value of 0 (ability to disable the registry key)
Enforcement phase – Enforcement mode is enabled. Removal of PacRequestorEnforcement registry key
--If the reply is helpful, please Upvote and Accept it as an answer--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 13%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
That's a contradiction...
You will get the registry in the Second deployment.
And:
Initial deployment – Introduction of the update, as well as the PacRequestorEnforcement registry key
But never mind, the registry key isn't available after the initial deployment, even if all DC's are patched. (3 Windows 2016 DC's)
I wonder if you could add this manually so we can get rid of all Event ID 37 events, overwhelming the eventlogs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 53%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
But never mind, the registry key isn't available after the initial deployment, even if all DC's are patched. (3 Windows 2016 DC's)
Alright
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 36%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
Keep in mind that these 7 days result from the following both settings which is default if nothing other is applied:
Maximum Lifetime For User Ticket Renewal (7days)
Maximum Lifetime For User Ticket (10hours)
Which allows for TGT refresh for 7days + 10hours of the ticket lifetime itself starting the day all DCs have been updated
So the PAC message should then disappear.
If you have individual settings for above Kerberos policy settings, you have to do the math to reflect them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 83%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
I can confirm this; I patched half of my DCs 14th and are no longer showing the 37 EventIds and the other half patched 21st Dec are still showing. To be precise latter DCs don't update the PAC with requestor on renewal Tickets. Once the these disappear (7 days); intend to rollout the registry key and enforce. Till then I've enabled our SIEM to collect Event 4662s
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 41%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEN%3C/text%3E%3C/svg%3E)
we have almost the same problems with 6 DC and Windows 2012R2. After the update on 2021-11-08 the Kerberos errors occurred.
The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\PacRequestorEnforcement does not exist.
On 2 DC we applied the new update KB5008603 11/14/2021 today.
Even after that the registry key was not present.
Since 2 hours the 2 DC did not report any error.
Should the registry key be generated automatically ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 69%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi There,
We patched our DC's with KB5008601(Win 2016) without installing the 9th November Updates (KB5007192)
Yet, the registry key PacRequestorEnforcement does not exist on our DC's.
Should the registry appear upon installing the Windows Update (KB5008601)?
No the registry key will not appear after applying the latest November updates, this needs to be created manually for now, it will be automatically added in 2022 updates.
For more information, see: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 94%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
The key does not need to be added manually UNLESS you want to change the default value. After the update, no key is the same as having the key with a value of 1. If you want the value to be 0 or 2, then the key and value needs to be added manually. The KB describes the difference between the values.
The April '22 update will remove the setting of 0 IF you previously set it 0. It will have the same effect as 1... or no key at all. If you previously set the key to 2, that setting will remain.
The July '22 update will remove the key and setting altogether.
The KB does not state how to stop the new events we're seeing in the event logs. Perhaps they will stop once the July '22 updates are applied (which transitions the DCs to enforcement mode.