November 2021 Updates, Events 35, 37 on DCs, PacRequestorEnforcement registry key: Confusion and Questions

Question

Yesterday, I installed the November 9, 2021 update KB5007192 on my Windows Server 2016 test network (2 DCs, 2 E2K16, 2 SP2016, 1 OOS, 2 SQL2016, and 1 Windows 10 21H1) with no 3rd party products, no public facing platforms including email. So, pretty simple setup.

I then installed on the DCs only the the November 14, 2021 emergency out-of-band update KB5008601.

Neither DC has the PacRequestorEnforcement registry key. The key does not exist. QUESTIONS: Is the key supposed to exist or are we supposed to add it? (KB5008380 on the Kerberos TGT PAC changes in November 9, 2021 update is confusing and lacks adequate guidance.) If we are supposed to add the key, are we supposed to add it *just to the DCs *or to all clients (all member servers, workstations) too?

Event IDs 35 (PAC without attribute) and 37 (Ticket without Requestor) as described in KB5008380 (https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) started after the Nov 9 update and *continue after the Nov 14 update. (I assume events are not related to Nov 9 authentication bug, and no authentication errors that I can see in the Security (or App or System) logs on the DCs or clients, but I installed Nov 14 update anyway.)

Oddly, on *each DC I am getting Event 35 about both DCs (the other DC *and the DC generating the event). I am getting Event 37 about all the clients (member servers and the W10 machine) plus SharePoint service accounts (AD farm, service apps accounts), SQL service account (AD account running the SQL service), SQL Cluster$ account, and Exchange Health Mailboxes. (Geez, the Health Mailboxes !?)

I searched online and found two other posts reporting the same events, one for Windows Server 2012 R2 (https://learn.microsoft.com/en-us/answers/questions/630388/server-2012-r2-std-generates-event-id-37-microsoft.html) and one for Windows Server 2019 (https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019). The first poster with W2K12 R2 also installed the Nov 14th update. No definitive answers last I checked the posts; just guesses and surmises.

QUESTIONS: Are Events 35 and 37 occurring because the PacRequestorEnforcement registry key does not exist? Will the events resolve if we add the registry key with a value of 1? And if yes, do we add the registry key to DCs only, or to all domain-joined Windows machines? What if the events continue after adding the registry key, then what? I mean, geez, are we going to have an issue with SharePoint, OOS, SQL, and Exchange? They are pretty much set up the way Microsoft SharePoint, OOS, and Exchange teams tell us to set them up. SP uses Constrained Delegation (any protocol) for some service apps, and claims authentication for web apps. Exchange setup is strictly by using Microsoft Exchange team guidance. I didn't find anything online from those teams on this update, did I miss posts?

It would be great to have definitive answers to my questions, and much better instructions and guidance from Microsoft. Definitely going to wait before installing updates on production environment.

Thanks,
Joan

Answer 1

Same thing here Joan and I had the same questions. LimitlessTechnology - The second deployment only affects those who set the PacRequestorEnforcement to 0. By default, without a key (like we have after applying Nov's updates and the patch afterwards) we are essentially at 1. I'll have to monitor this thread to see what happens.

Answer 2

KB 5008380 lies:
Data
1: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, no further action is taken. Active Directory domain controllers in this mode are in the Deployment phase.
...
Default 1 (when registry key is not set)

All our UPDATED!!! server 2019 DCs say `The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Ticket PAC constructed by: DC-10
Client: ххх\yyy$
Ticket for: krbtgt`

Answer 3

Everyone,

See my response today to DSPatrick that the 35, 37 events stopped on 11/24, 7 days (approximately, not exactly) after last event of each reported and I have no clue as to why. But happy about it to be sure. I did not/am not having any other errors on the DCs, and all the platforms (E2K, SP, SQL, OOS) did not/are not having any errors or issues. I am going to start installing the Nov update on production network and if I have a different experience I will report it here.

Joan

Answer 4

We have 2 Windows Server 2016 DCs and they are both updated. (Since 11/30)
I created the registry key and set it to "1".
I still see Event 35 and 37 saying that one of my DC granted a ticket without a PAC attributes. As I understand it, since both my DC are updated, I shouldn't see those events. Can anyone confirm this ?

An other question, what happened if I set the registry key to "2" ? Will my Windows Clients be stopped from connecting to the domain or to a DC ?

(All this is in a Test environnement)

Answer 5

After installing the update, events 35,37 started showing up, and after about 7 days stopped.
Today (more than 14 days) I added registry key PacRequestorEnforcement=2
For now nothing change, in events nothing too. If antyfhing changes, I'll add value to another domain.