PacRequestorEnforcement=2 and Failover Cluster - when is there a fix?

StephanG 811 Reputation points
2022-01-28T12:24:27.4+00:00

Hi everyone,

due to the severity we set all DCs to 2 in november. Now we see this error in the eventlog:

37 System Source: Kerberos-Key-Distribution-Center

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Ticket PAC constructed by: OURDC
Client: OURDOMAIN.DE\OURCL02$
Ticket for: krbtgt

We cannot leave it at 1 due to compliance - Cluster is working fine. Any other problems we should look after?

From:
https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Known issues
After installing Windows updates released November 9, 2021 or later on domain controllers (DCs), some customers might see the new audit Event ID 37 logged after certain password setting or change operations such as:
Update or Repair failover cluster's CNO or VCO
Microsoft is investigating this issue. In the meantime, temporarily avoid setting PacRequestorEnforcement = 2 on affected environments.

BR
Stephan

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,202 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,929 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,391 Reputation points
    2022-01-31T09:21:39.88+00:00

    Hi there,

    There are no updates on the patch for the Events 35, 37 on DCs, PacRequestorEnforcement registry key. Maybe it might be done in the second deployment.

    The second deployment phase starts with the Windows update released on April 12, 2022. This phase removes the PacRequestorEnforcement setting of 0. Setting PacRequestorEnforcement to 0 after this update is installed will have the same effect as setting PacRequestorEnforcement to 1.

    Here is a thread as well that discusses the same issue you can follow this for the status of this update

    November 2021 Updates, Events 35, 37 on DCs, PacRequestorEnforcement registry key: Confusion and Questions
    https://learn.microsoft.com/en-us/answers/questions/632804/november-2021-updates-events-35-37-on-dcs-pacreque.html?page=2&pageSize=10&sort=oldest

    --------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--