question

AnserLeon-8576 avatar image
0 Votes"
AnserLeon-8576 asked DSPatrick commented

37 Kerberos-Key-distribution-Center

Hello there,

I have several DCs in my network (2012 Standard , 2016 Standard). One of my DCs keeps repeating the following error :
Event ID 37
Source : Kerberos-Key-Distribution-Center

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Ticket PAC constructed by: servername
Client: domain\username
Ticket for: krbtgt

I already followed the instructions on this link : https://go.microsoft.com/fwlink/?linkid=2173051 and setup every DC with the enforced registry key :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc

I know this will be deployed by different phases.

However I still have a few questions :

  1. Is it normal to keep getting the error after we setup the enforced key on every DC ?

  2. Is there a way to make the error go away ?

  3. Is manually entering the enforcement key part of the process ?


Thanks in Advance.

windows-serverwindows-server-2016windows-server-2012
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB

Then it looks like you may get one warning for every user.

https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.


the PacRequestorEnforcement registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.


--please don't forget to upvote and Accept as answer if the reply is helpful--


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image DSPatrick ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·