question

EcoAxis-3844 avatar image
0 Votes"
EcoAxis-3844 asked LeonLaude commented

Server 2012 R2 std. generates Event id 37 Kerberos-Key-Distribution-Center log every 5-10 mins after applied Nov-2021 win update & kb5008603

After installed KB890830 and KB5007247 on two DC, Microsoft-Windows-Kerberos-Key-Distribution-Center warning log is triggered nearly every 5 mins.

Also installed below fix manually.
https://support.microsoft.com/en-us/topic/kb5008603-authentication-fails-on-domain-controllers-in-certain-kerberos-scenarios-on-windows-server-2012-r2-1beea7a1-9a3c-48dd-a56d-c3cc3f5d0d50

Bus still appears those log
150095-temp1.jpg

Please advise how to fix. Thanks.


windows-server-2012
temp1.jpg (146.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm experiencing exactly the same. After installing the november updates and manually applying the out-of-band update the eventlog started filling up with these errors (sometimes also event-id 35).

0 Votes 0 ·
LeonLaude avatar image
0 Votes"
LeonLaude answered vadivelub commented

Hi @EcoAxis-3844,

There is a mentioning of authentication failures with certain Kerberos delegation scenarios over here:
https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2019#2748msgdesc

I suggest installing the latest November updates and check if it fixes the issue.

Here's an article about this:
https://www.bleepingcomputer.com/news/microsoft/new-microsoft-emergency-updates-fix-windows-server-auth-issues/

Here's also another forum thread about this:
https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I suggest installing the latest November updates and check if it fixes the issue.

The topic is called
Server 2012 R2 std. generates Event id 37 Kerberos-Key-Distribution-Center log every 5-10 mins after applied Nov-2021 win update & kb5008603

1 Vote 1 ·

Ok it does appear that the last Windows update have started causing these events, it is also discussed over here:
https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019

For now there's no known official workaround/fix for this, best thing for now is to wait for Microsoft to release official information about this, perhaps in a hotfix or upcoming patch.

0 Votes 0 ·

@LeonLaude @EcoAxis-3844 @Roxs-1469 -1469
Since we got the out of band security patch to address the previous issues.
Did we need to rollback the kb5008603 because of this warning. Is suggestable from Microsoft and AD SME's that patched already.

0 Votes 0 ·
EcoAxis-3844 avatar image
0 Votes"
EcoAxis-3844 answered vadivelub commented

Both DC has installed with latest windows update and installed kb5008603 manually.

Event id 37 Kerberos-Key-Distribution-Center warning log were gone after those client computers were turned on next day. Found that log record were related to different client computer. So it liked that appeared every several minutes. Actually, every client computer name are triggered in every hour. (Not every several minutes)

Also found that less event ID 37 log were still appeared next day as those clients were not power off PC after work. The warning log won't appear again after restarted those client computers.



But still have another Event ID 35 warning log. It's related to both DC only.

Same issue as
https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019


150870-app2.png



app2.png (64.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So this warning can be ignorable?
When client on , this warning disabled in DC.

0 Votes 0 ·
StephanG avatar image
0 Votes"
StephanG answered

This is described here:
https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

Like many patches of Microsoft lately - this patch needs action after installing it.

  1. Update all devices that host the Active Directory domain controller role by installing the November 9, 2021 update.

  2. After the November 9, 2021 update has been installed on all Active Directory domain controllers for at least 7 days, we strongly suggest that you enable Enforcement mode on all Active Directory domain controllers.

  3. Starting with the July 12, 2022 Enforcement Phase update, Enforcement mode will be enabled on all Windows domain controllers and will be required.

So these warnings are normal until all your DCs has the enforcement mode enabled. Or it is forced on July.

As it is rolled out like this - this seems to need some testing beforehand ;)



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ColmenaresSanchezJorgeEnrique-6866 avatar image
0 Votes"
ColmenaresSanchezJorgeEnrique-6866 answered LeonLaude commented

Hello, I have the same issue, someone know a fix to remediate this situation?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.