November 2021 Updates, Events 35, 37 on DCs, PacRequestorEnforcement registry key: Confusion and Questions

jremmc 56 Reputation points
2021-11-18T19:05:56.79+00:00

Yesterday, I installed the November 9, 2021 update KB5007192 on my Windows Server 2016 test network (2 DCs, 2 E2K16, 2 SP2016, 1 OOS, 2 SQL2016, and 1 Windows 10 21H1) with no 3rd party products, no public facing platforms including email. So, pretty simple setup.

I then installed on the DCs only the the November 14, 2021 emergency out-of-band update KB5008601.

Neither DC has the PacRequestorEnforcement registry key. The key does not exist. QUESTIONS: Is the key supposed to exist or are we supposed to add it? (KB5008380 on the Kerberos TGT PAC changes in November 9, 2021 update is confusing and lacks adequate guidance.) If we are supposed to add the key, are we supposed to add it *just to the DCs *or to all clients (all member servers, workstations) too?

Event IDs 35 (PAC without attribute) and 37 (Ticket without Requestor) as described in KB5008380 (https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) started after the Nov 9 update and *continue after the Nov 14 update. (I assume events are not related to Nov 9 authentication bug, and no authentication errors that I can see in the Security (or App or System) logs on the DCs or clients, but I installed Nov 14 update anyway.)

Oddly, on *each DC I am getting Event 35 about both DCs (the other DC *and the DC generating the event). I am getting Event 37 about all the clients (member servers and the W10 machine) plus SharePoint service accounts (AD farm, service apps accounts), SQL service account (AD account running the SQL service), SQL Cluster$ account, and Exchange Health Mailboxes. (Geez, the Health Mailboxes !?)

I searched online and found two other posts reporting the same events, one for Windows Server 2012 R2 (https://learn.microsoft.com/en-us/answers/questions/630388/server-2012-r2-std-generates-event-id-37-microsoft.html) and one for Windows Server 2019 (https://community.spiceworks.com/topic/2338789-event-id-35-and-37-kerberos-on-server-2019). The first poster with W2K12 R2 also installed the Nov 14th update. No definitive answers last I checked the posts; just guesses and surmises.

QUESTIONS: Are Events 35 and 37 occurring because the PacRequestorEnforcement registry key does not exist? Will the events resolve if we add the registry key with a value of 1? And if yes, do we add the registry key to DCs only, or to all domain-joined Windows machines? What if the events continue after adding the registry key, then what? I mean, geez, are we going to have an issue with SharePoint, OOS, SQL, and Exchange? They are pretty much set up the way Microsoft SharePoint, OOS, and Exchange teams tell us to set them up. SP uses Constrained Delegation (any protocol) for some service apps, and claims authentication for web apps. Exchange setup is strictly by using Microsoft Exchange team guidance. I didn't find anything online from those teams on this update, did I miss posts?

It would be great to have definitive answers to my questions, and much better instructions and guidance from Microsoft. Definitely going to wait before installing updates on production environment.

Thanks,
Joan

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,082 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,542 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,838 questions
{count} votes

12 answers

Sort by: Most helpful
  1. Anonymous
    2021-11-19T16:54:52.143+00:00

    Its now looking like the events 35, 37 will go away as the members get patched.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  2. Limitless Technology 39,626 Reputation points
    2021-11-22T08:36:06.237+00:00

    Hi there,

    You will get the registry in the Second deployment.

    These Windows Updates will be released in three phases:

    Initial deployment – Introduction of the update, as well as the PacRequestorEnforcement registry key

    Second deployment – Removal of PacRequestorEnforcement value of 0 (ability to disable the registry key)

    Enforcement phase – Enforcement mode is enabled. Removal of PacRequestorEnforcement registry key

    https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041


    --If the reply is helpful, please Upvote and Accept it as an answer--

    1 person found this answer helpful.

  3. Markus Walschburger 6 Reputation points Microsoft Employee
    2021-12-21T23:38:55.64+00:00

    Keep in mind that these 7 days result from the following both settings which is default if nothing other is applied:
    Maximum Lifetime For User Ticket Renewal (7days)
    Maximum Lifetime For User Ticket (10hours)
    Which allows for TGT refresh for 7days + 10hours of the ticket lifetime itself starting the day all DCs have been updated
    So the PAC message should then disappear.
    If you have individual settings for above Kerberos policy settings, you have to do the math to reflect them.

    1 person found this answer helpful.

  4. Elitzer, Norbert 1 Reputation point
    2021-11-19T11:12:53.993+00:00

    we have almost the same problems with 6 DC and Windows 2012R2. After the update on 2021-11-08 the Kerberos errors occurred.
    The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\PacRequestorEnforcement does not exist.

    On 2 DC we applied the new update KB5008603 11/14/2021 today.
    Even after that the registry key was not present.
    Since 2 hours the 2 DC did not report any error.

    Should the registry key be generated automatically ?

    0 comments No comments

  5. JC27 1 Reputation point
    2021-11-22T14:16:51.097+00:00

    Hi There,

    We patched our DC's with KB5008601(Win 2016) without installing the 9th November Updates (KB5007192)

    Yet, the registry key PacRequestorEnforcement does not exist on our DC's.

    Should the registry appear upon installing the Windows Update (KB5008601)?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.