question

jremmc-6708 avatar image
2 Votes"
jremmc-6708 asked CraigBrown-4765 commented

November 2021 Updates, Events 35, 37 on DCs, PacRequestorEnforcement registry key: Confusion and Questions

Yesterday, I installed the November 9, 2021 update KB5007192 on my Windows Server 2016 test network (2 DCs, 2 E2K16, 2 SP2016, 1 OOS, 2 SQL2016, and 1 Windows 10 21H1) with no 3rd party products, no public facing platforms including email. So, pretty simple setup.

I then installed on the DCs only the the November 14, 2021 emergency out-of-band update KB5008601.

Neither DC has the PacRequestorEnforcement registry key. The key does not exist. QUESTIONS: Is the key supposed to exist or are we supposed to add it? (KB5008380 on the Kerberos TGT PAC changes in November 9, 2021 update is confusing and lacks adequate guidance.) If we are supposed to add the key, are we supposed to add it *just to the DCs *or to all clients (all member servers, workstations) too?

Event IDs 35 (PAC without attribute) and 37 (Ticket without Requestor) as described in KB5008380 (https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) started after the Nov 9 update and *continue after the Nov 14 update. (I assume events are not related to Nov 9 authentication bug, and no authentication errors that I can see in the Security (or App or System) logs on the DCs or clients, but I installed Nov 14 update anyway.)

Oddly, on *each DC I am getting Event 35 about both DCs (the other DC *and the DC generating the event). I am getting Event 37 about all the clients (member servers and the W10 machine) plus SharePoint service accounts (AD farm, service apps accounts), SQL service account (AD account running the SQL service), SQL Cluster$ account, and Exchange Health Mailboxes. (Geez, the Health Mailboxes !?)

I searched online and found two other posts reporting the same events, one for Windows Server 2012 R2 (https://docs.microsoft.com/en-us/answers/questions/630388/server-2012-r2-std-generates-event-id-37-microsoft.html) and one for Windows Server 2019 (https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019). The first poster with W2K12 R2 also installed the Nov 14th update. No definitive answers last I checked the posts; just guesses and surmises.

QUESTIONS: Are Events 35 and 37 occurring because the PacRequestorEnforcement registry key does not exist? Will the events resolve if we add the registry key with a value of 1? And if yes, do we add the registry key to DCs only, or to all domain-joined Windows machines? What if the events continue after adding the registry key, then what? I mean, geez, are we going to have an issue with SharePoint, OOS, SQL, and Exchange? They are pretty much set up the way Microsoft SharePoint, OOS, and Exchange teams tell us to set them up. SP uses Constrained Delegation (any protocol) for some service apps, and claims authentication for web apps. Exchange setup is strictly by using Microsoft Exchange team guidance. I didn't find anything online from those teams on this update, did I miss posts?

It would be great to have definitive answers to my questions, and much better instructions and guidance from Microsoft. Definitely going to wait before installing updates on production environment.

Thanks,
Joan






windows-serverwindows-active-directorywindows-server-security
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi

It is a month after all our DCs patched with November 9 patch and restarted, and 4 days after patched and restarted with December 14 patch - all DCs are Windows 2016.

But even today, we are still get many 35 + 37 events of some users accounts and of few Cluster computer accounts.
Tickets that were generated by and logged by multiple DCs.

Our maximum lifetime for Kerberos tickets are MS defaults. So maximum lifetime for user ticket renewal is one week, so I simply not sure what's going on here.

Any official words from Microsoft on this matter?

1 Vote 1 ·

I have 2 of 5 domain controllers are still 2016 and one has these events 35, 37. Only one has the KB5007192 update. I'm patching the second one right now so will be able to let you know more shortly.


0 Votes 0 ·

So much for shortly. I now need to patch them all so this will take it into tomorrow.



0 Votes 0 ·
ElitzerNorbert-1079 avatar image
0 Votes"
ElitzerNorbert-1079 answered

we have almost the same problems with 6 DC and Windows 2012R2. After the update on 2021-11-08 the Kerberos errors occurred.
The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\PacRequestorEnforcement does not exist.

On 2 DC we applied the new update KB5008603 11/14/2021 today.
Even after that the registry key was not present.
Since 2 hours the 2 DC did not report any error.

Should the registry key be generated automatically ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered jremmc-6708 commented

Its now looking like the events 35, 37 will go away as the members get patched.

--please don't forget to upvote and Accept as answer if the reply is helpful--


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·

Sorry for delay in responding back, I was on vacation all last week.

I just checked this morning and saw that both events 35 and 37 have *not occurred for "7 days" (Event Viewer Summary pane). Details: I installed the emergency patch 5008601 on DC1 on 11/17 (reboot 11:57 PM) and DC2 on 11/18 (reboot 12:29 AM). The events stopped on 11/24 at 2:47 PM and 12:56 PM respectively. I include the times to show it's not exactly 7 days from reboot time to time the events stopped. The DCs have not rebooted since the emergency patch reboot; this indicates the reason for the events stopping is not reboots. (And I checked the registry, the key has not magically appeared.) Remember, all member servers and W10 had the 11/9 update installed by or on 11/18 and none have the emergency patch.

Currently I have no clue as to why the events stopped.

Joan

0 Votes 0 ·

Most likely the rest of domain members have been patched as well.

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·
Show more comments

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·
LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered AlbarMahadSanwal-0571 commented

Hi there,

You will get the registry in the Second deployment.

These Windows Updates will be released in three phases:

Initial deployment – Introduction of the update, as well as the PacRequestorEnforcement registry key

Second deployment – Removal of PacRequestorEnforcement value of 0 (ability to disable the registry key)

Enforcement phase – Enforcement mode is enabled. Removal of PacRequestorEnforcement registry key

https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041



--If the reply is helpful, please Upvote and Accept it as an answer--

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That's a contradiction...

You will get the registry in the Second deployment.

And:

Initial deployment – Introduction of the update, as well as the PacRequestorEnforcement registry key

But never mind, the registry key isn't available after the initial deployment, even if all DC's are patched. (3 Windows 2016 DC's)
I wonder if you could add this manually so we can get rid of all Event ID 37 events, overwhelming the eventlogs.







0 Votes 0 ·

But never mind, the registry key isn't available after the initial deployment, even if all DC's are patched. (3 Windows 2016 DC's)

Alright


0 Votes 0 ·
JohannCasha-2863 avatar image
0 Votes"
JohannCasha-2863 answered MISAdmin-6413 commented

Hi There,

We patched our DC's with KB5008601(Win 2016) without installing the 9th November Updates (KB5007192)

Yet, the registry key PacRequestorEnforcement does not exist on our DC's.

Should the registry appear upon installing the Windows Update (KB5008601)?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No the registry key will not appear after applying the latest November updates, this needs to be created manually for now, it will be automatically added in 2022 updates.
For more information, see: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

0 Votes 0 ·

The key does not need to be added manually UNLESS you want to change the default value. After the update, no key is the same as having the key with a value of 1. If you want the value to be 0 or 2, then the key and value needs to be added manually. The KB describes the difference between the values.

The April '22 update will remove the setting of 0 IF you previously set it 0. It will have the same effect as 1... or no key at all. If you previously set the key to 2, that setting will remain.

The July '22 update will remove the key and setting altogether.

The KB does not state how to stop the new events we're seeing in the event logs. Perhaps they will stop once the July '22 updates are applied (which transitions the DCs to enforcement mode.

1 Vote 1 ·
MISAdmin-6413 avatar image
0 Votes"
MISAdmin-6413 answered

Same thing here Joan and I had the same questions. LimitlessTechnology - The second deployment only affects those who set the PacRequestorEnforcement to 0. By default, without a key (like we have after applying Nov's updates and the patch afterwards) we are essentially at 1. I'll have to monitor this thread to see what happens.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Konstantin-5708 avatar image
0 Votes"
Konstantin-5708 answered Konstantin-5708 edited

KB 5008380 lies:
Data
1: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, no further action is taken. Active Directory domain controllers in this mode are in the Deployment phase.
...
Default 1 (when registry key is not set)

All our UPDATED!!! server 2019 DCs say The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more. Ticket PAC constructed by: DC-10 Client: ххх\\yyy$ Ticket for: krbtgt


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jremmc-6708 avatar image
0 Votes"
jremmc-6708 answered DSPatrick commented

Everyone,

See my response today to DSPatrick that the 35, 37 events stopped on 11/24, 7 days (approximately, not exactly) after last event of each reported and I have no clue as to why. But happy about it to be sure. I did not/am not having any other errors on the DCs, and all the platforms (E2K, SP, SQL, OOS) did not/are not having any errors or issues. I am going to start installing the Nov update on production network and if I have a different experience I will report it here.

Joan

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Glad to hear,

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·
Skywalker-6025 avatar image
0 Votes"
Skywalker-6025 answered Skywalker-6025 edited

We have 2 Windows Server 2016 DCs and they are both updated. (Since 11/30)
I created the registry key and set it to "1".
I still see Event 35 and 37 saying that one of my DC granted a ticket without a PAC attributes. As I understand it, since both my DC are updated, I shouldn't see those events. Can anyone confirm this ?

An other question, what happened if I set the registry key to "2" ? Will my Windows Clients be stopped from connecting to the domain or to a DC ?

(All this is in a Test environnement)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ms-3824 avatar image
0 Votes"
ms-3824 answered Skywalker-6025 edited

After installing the update, events 35,37 started showing up, and after about 7 days stopped.
Today (more than 14 days) I added registry key PacRequestorEnforcement=2
For now nothing change, in events nothing too. If antyfhing changes, I'll add value to another domain.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It didn't block any client connection to your domain / DC when you put the key=2 ?

I am struggling to understand what that key with this value really means.

0 Votes 0 ·

no i did not observe any issue after adding new key to registry
in my opinion a PacRequestorEnforcement =2 means that Kerberos is forced to use new information about the orginal requestor for improved secuirty, but it is important to do that in steps to give systems/users and services time to prepare (to install update 2021'11 to add information about new value)
evets 35,37 shows up about 7 days after installing the updates and then stops appear, so mayby it is someting like TTL and refresh some information for kerberos needs time

1 Vote 1 ·

Thanks for you answer!
Only the DC needs this update ? Or do I need to update all my Windows 10 clients ? (to make it work if the key = 2)

0 Votes 0 ·
MarkusWalschburger-6887 avatar image
1 Vote"
MarkusWalschburger-6887 answered JeenPallickaparampil-1724 commented

Keep in mind that these 7 days result from the following both settings which is default if nothing other is applied:
Maximum Lifetime For User Ticket Renewal (7days)
Maximum Lifetime For User Ticket (10hours)
Which allows for TGT refresh for 7days + 10hours of the ticket lifetime itself starting the day all DCs have been updated
So the PAC message should then disappear.
If you have individual settings for above Kerberos policy settings, you have to do the math to reflect them.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I can confirm this; I patched half of my DCs 14th and are no longer showing the 37 EventIds and the other half patched 21st Dec are still showing. To be precise latter DCs don't update the PAC with requestor on renewal Tickets. Once the these disappear (7 days); intend to rollout the registry key and enforce. Till then I've enabled our SIEM to collect Event 4662s

0 Votes 0 ·