Kerberos delegation triggers a fault in lsass.exe

David Herselman 6 Reputation points
2022-10-30T16:20:04.023+00:00

Source: Application Error
Event ID: 1000

Faulting application name: lsass.exe, version: 10.0.17763.3532, time stamp: 0xcda34c13
Faulting module name: ntdll.dll, version: 10.0.17763.3532, time stamp: 0xbe72b56e
Exception code: 0xc0000008
Fault offset: 0x00000000000a461a
Faulting process id: 0x28c
Faulting application start time: 0x01d8ec2710acbb86
Faulting application path: C:\WINDOWS\system32\lsass.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 8ad22051-aedd-4c96-a96a-05d06847b630
Faulting package full name:
Faulting package-relative application ID:

We have this problem with Azure AD Application Proxy running on either Windows 2019 or Windows 2022 servers. We have tried to harden our environment following Microsoft's security baseline recommendations which includes things such as SMBv1 being disabled, all LDAP calls requiring signing, NTLM being disabled everywhere except AD CS (Petit Potam hardening applied separately), Kerberos FAST is enabled and we make use of RunAsPPL (runs lsass.exe as a protected process).

On the Windows 2019 host:
Installing the out of band update (https://support.microsoft.com/en-us/topic/october-17-2022-kb5020438-os-build-17763-3534-out-of-band-cd499c1a-6d60-49a1-9a40-fad42c1d393a) has made no difference.

On the Windows 2022 host:
Installing cumulative update 2022-10 (KB5018485) resolved the issue (released as preview on the 25th of October)

Disabling RunAsPPL still results in fault and the VM being restarted (yes, deleted the registry item and used the UEFI tool to clear the variable):
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

Additional information, should it be useful:
Source: Microsoft-AAD Application Proxy Connector/Admin
Event ID: 13019

Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The RPC server is unavailable.
(0x800706ba).

Details:
Transaction ID: {14628f5f-0dbb-4f33-a780-54e80f188bdd}
Session ID: {14628f5f-0dbb-4f33-a780-54e80f188bdd}
Published Application Name:
Published Application ID:
Published Application External URL: https://redacted/
Published Backend URL: https://redacted/
User: username@ad.redacted
User-Agent: Mozilla/5.0 (Linux; Android 12; IN2023) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36
Device ID: <Not Applicable>
Token State: NotFound
Cookie State: NotFound
Client Request URL: https://redacted/favicon.ico
Backend Request URL: <Not Applicable>
Preauthentication Flow: PassThrough
Backend Server Authentication Mode: WIA
State Machine State: BackendRequestProcessing_Pending
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: <Not Applicable>
Client Request Http Verb: GET

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,742 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 31,901 Reputation points
    2022-10-31T08:03:38.023+00:00

    Hi David,

    Can you check on the server if you have KB016623 installed? There was an article and mentioned that November 2022 Security update will fix this issue, meanwhile can you try to uninstall this KB I mentioned.

    Hope this helps.
    JS

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.