Yesterday, I installed the November 9, 2021 update KB5007192 on my Windows Server 2016 test network (2 DCs, 2 E2K16, 2 SP2016, 1 OOS, 2 SQL2016, and 1 Windows 10 21H1) with no 3rd party products, no public facing platforms including email. So, pretty simple setup.
I then installed on the DCs only the the November 14, 2021 emergency out-of-band update KB5008601.
Neither DC has the PacRequestorEnforcement registry key. The key does not exist. QUESTIONS: Is the key supposed to exist or are we supposed to add it? (KB5008380 on the Kerberos TGT PAC changes in November 9, 2021 update is confusing and lacks adequate guidance.) If we are supposed to add the key, are we supposed to add it *just to the DCs *or to all clients (all member servers, workstations) too?
Event IDs 35 (PAC without attribute) and 37 (Ticket without Requestor) as described in KB5008380 (https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) started after the Nov 9 update and *continue after the Nov 14 update. (I assume events are not related to Nov 9 authentication bug, and no authentication errors that I can see in the Security (or App or System) logs on the DCs or clients, but I installed Nov 14 update anyway.)
Oddly, on *each DC I am getting Event 35 about both DCs (the other DC *and the DC generating the event). I am getting Event 37 about all the clients (member servers and the W10 machine) plus SharePoint service accounts (AD farm, service apps accounts), SQL service account (AD account running the SQL service), SQL Cluster$ account, and Exchange Health Mailboxes. (Geez, the Health Mailboxes !?)
I searched online and found two other posts reporting the same events, one for Windows Server 2012 R2 (https://docs.microsoft.com/en-us/answers/questions/630388/server-2012-r2-std-generates-event-id-37-microsoft.html) and one for Windows Server 2019 (https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019). The first poster with W2K12 R2 also installed the Nov 14th update. No definitive answers last I checked the posts; just guesses and surmises.
QUESTIONS: Are Events 35 and 37 occurring because the PacRequestorEnforcement registry key does not exist? Will the events resolve if we add the registry key with a value of 1? And if yes, do we add the registry key to DCs only, or to all domain-joined Windows machines? What if the events continue after adding the registry key, then what? I mean, geez, are we going to have an issue with SharePoint, OOS, SQL, and Exchange? They are pretty much set up the way Microsoft SharePoint, OOS, and Exchange teams tell us to set them up. SP uses Constrained Delegation (any protocol) for some service apps, and claims authentication for web apps. Exchange setup is strictly by using Microsoft Exchange team guidance. I didn't find anything online from those teams on this update, did I miss posts?
It would be great to have definitive answers to my questions, and much better instructions and guidance from Microsoft. Definitely going to wait before installing updates on production environment.