Windows Server 2019 lsass.exe crash Faulting module kerberos.DLL after 2024-04 Cumulative Update

Question

Hello,

after applying latest updates we encounter a lot of VM reboots initiated by crashing lsass.exe.

The update we applied:

2024-04 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5036896)

we even tried the respective Out-of-band fix:

May 23, 2024-KB5039705 (OS Build 17763.5830) Out-of-band

without luck, the lsass.exe is still crashing.

This is happening also on Windows Server 2016 but one cumulative update sooner (2024-03).

The server is hosting single service for our central management (SLD/tomcat+java).

Attached please find

• Event Log entries (printed via powershell) sld03_EventLog.txt
• lsass.exe crash dump captured using latest procdump64.exe sld03_lsass01.zip (unable to upload .dmp or .zip, so only providing the analyzed crash dump sld03_lsass01.dmp.dumpchk.txt)

So far we workaround this issue by uninstalling the update(s).

We also found out that we can keep the update(s) in place but replacing the kerberos.dll to the older one (the latest working is kerberos.5576.dll) would prevent the lsass.exe from crashing.

Maybe worth to mention: since the Event Log points the faulting module to kerberos.dll we made some tests with particular versions in this order:

OK: kerberos.5576_01_fresh_image_march.dll

OK: kerberos.5576_02_fresh_image_march+KB5037425(out of band OS 5579).dll

crashing: kerberos.5696_03_fresh_image_march+KB5036896(2024-04-cumulative OS nnnn).dll

crashing: kerberos.5830_04_fresh_image_march+KB5036896(2024-04-cumulative OS nnnn)+KB5039705(2024-05-OOB OS 5830).dll

Since, obviously, we need to patch up the OS ... and replacing the kerberos.dll to some old version is also not long term acceptable:

Kindly let us know on how to proceed in future.

Or is there a chance the development will look into this issue and fix back the problem introduced with latest changes ?

Thanks and regards.

Notes:

1. we went through several of the answers (with similar issues) provided by google and on QAs here, unfortunately without any luck.
2. we are also reporting the issue to our development responsible for the central management service to at least identify the particular API call into lsass.exe - if that will help.

Answer 1

Hello

I understand the issue you're facing with the lsass.exe crashes after applying the recent updates. This seems to be a known problem with the updates KB5036896 and KB5039705, as well as with the previous month's update for Windows Server 2016. The crashes you're experiencing are consistent with the symptoms other users have reported.

 

The workaround you've found by replacing the kerberos.dll with an older version is a temporary solution that some users have also adopted. However, as you mentioned, this is not a long-term solution.

 

From the information available, it appears that Microsoft is aware of the issues caused by these updates, particularly the problems related to lsass.exe and kerberos.dll. The best course of action would be to report this issue through the official channels, providing all the details of your findings, including the tests you've conducted with different versions of kerberos.dll. This will help Microsoft's development team to address the issue in a future update.

 

In the meantime, you may consider the following steps:

 

Continue to monitor the official Microsoft support channels for any new updates or patches that address this issue.

 

If possible, test the updates in a controlled environment before deploying them to your production servers.

Keep the updates that are causing the crashes uninstalled until a fix is released.

 

I understand that this situation is not ideal, but given the critical nature of lsass.exe, it's important to ensure the stability and security of your servers.

Answer 2

for whomever stumbles upon this topic - fixed by:

2024-06 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5039217) - there is again new version of kerberos.dll (5933)

respectively fixed on Windows 2016:
2024-06 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5039214)