Source: Application Error
Event ID: 1000
Faulting application name: lsass.exe, version: 10.0.17763.3532, time stamp: 0xcda34c13
Faulting module name: ntdll.dll, version: 10.0.17763.3532, time stamp: 0xbe72b56e
Exception code: 0xc0000008
Fault offset: 0x00000000000a461a
Faulting process id: 0x28c
Faulting application start time: 0x01d8ec2710acbb86
Faulting application path: C:\WINDOWS\system32\lsass.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 8ad22051-aedd-4c96-a96a-05d06847b630
Faulting package full name:
Faulting package-relative application ID:
We have this problem with Azure AD Application Proxy running on either Windows 2019 or Windows 2022 servers. We have tried to harden our environment following Microsoft's security baseline recommendations which includes things such as SMBv1 being disabled, all LDAP calls requiring signing, NTLM being disabled everywhere except AD CS (Petit Potam hardening applied separately), Kerberos FAST is enabled and we make use of RunAsPPL (runs lsass.exe as a protected process).
On the Windows 2019 host:
Installing the out of band update (https://support.microsoft.com/en-us/topic/october-17-2022-kb5020438-os-build-17763-3534-out-of-band-cd499c1a-6d60-49a1-9a40-fad42c1d393a) has made no difference.
On the Windows 2022 host:
Installing cumulative update 2022-10 (KB5018485) resolved the issue (released as preview on the 25th of October)
Disabling RunAsPPL still results in fault and the VM being restarted (yes, deleted the registry item and used the UEFI tool to clear the variable):
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
Additional information, should it be useful:
Source: Microsoft-AAD Application Proxy Connector/Admin
Event ID: 13019
Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The RPC server is unavailable.
(0x800706ba).
Details:
Transaction ID: {14628f5f-0dbb-4f33-a780-54e80f188bdd}
Session ID: {14628f5f-0dbb-4f33-a780-54e80f188bdd}
Published Application Name:
Published Application ID:
Published Application External URL: https://redacted/
Published Backend URL: https://redacted/
User: username@ad.redacted
User-Agent: Mozilla/5.0 (Linux; Android 12; IN2023) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36
Device ID: <Not Applicable>
Token State: NotFound
Cookie State: NotFound
Client Request URL: https://redacted/favicon.ico
Backend Request URL: <Not Applicable>
Preauthentication Flow: PassThrough
Backend Server Authentication Mode: WIA
State Machine State: BackendRequestProcessing_Pending
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: <Not Applicable>
Client Request Http Verb: GET
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 60%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
