Event ID 37 - Kerberos-Key-Distribution-Center

Question

Hello,
the events 35 and 37 started to appear in the event logs a couple of weeks ago and from what I researched, Microsoft should be providing a Windows Update for this issue. Can anyone confirm or have further insight on this issue?

Event Id 37
The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Ticket PAC constructed by: <domain controller>
Client: <domain>\<computername>
Ticket for: krbtgt

Event ID 35
The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (<domain controller>) that did not contain a PAC attributes field. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Thank you

Answer 1

So far it is only for this one user. Should I install the KB5008380 manually for that user's system or the domain controller?

Answer 2

Hi, it looks like the the past 2 days show events with 3 systems and that one user. Things are improving it appears. I will monitor further. Thanks

Answer 3

Hi, I am getting less events occuring. None today so I think things are getting cleaned up. Thank you

Answer 4

Hi

A month after all DCs patched with November 9 patch and restarted, and 4 days after patched and restarted with December 14 patch - all DCs are Windows 2016.
But even today, we are still get many Events 35 + 37 of some users accounts and of few Cluster computer accounts.
Tickets generated and logged by\in multiple DCs.

Our maximum lifetime for Kerberos tickets are MS defaults. So maximum lifetime for user ticket renewal is one week, so I simply not sure what's going on here.
We wish to go ahead on the enforcement phase, but worries about those events, if those can be ignored or not.
Is there any official answer from Microsoft on this matter?

Here Our MS default Kerberos Policy:
Enforce user logon restrictions - Enabled
Maximum lifetime for service ticket - 600 minutes
Maximum lifetime for user ticket - 10 hours
Maximum lifetime for user ticket renewal - 7 days
Maximum tolerance for computer clock synchronization - 5 minutes

Answer 5

I'm still getting event 37 events in my environment (in at least three separate forests, in fact). All DCs were patched in November, have received subsequent updates, and have been rebooted multiple times.

We haven't explicitly set the reg key - it says in the doco that it defaults to "1" - is this correct or should we set it?

Note that it's not all users in this particular environment, but it's two service accounts (out of dozens), server administration accounts and one computer account. Most, if not all of these accounts are highly-privileged (e.g. domain admins, account operators etc). I've traced back the original logon events at the same time and rebooted some of member servers.

They are all event 37, none of the other PAC "mismatch" or "not found" events. As you can see below, this example is an account that received its PAC from the same DC that's reporting the error. This account logs on multiple times per day, so should have received an updated PAC literal months ago.

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          2022-02-21 15:23:54
Event ID:      37
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      TSTADC01.xxx.au
Description:
The Key Distribution Center (KDC) [...]

  Ticket PAC constructed by: TSTADC01
  Client: XXX.AU\\SVC_ABC
  Ticket for: krbtgt

Do we maybe need to reset the krbtgt account? Something to do with impersonation logons perhaps?

I would rather not have to do packet tracing to get to the bottom of this, so a useful guide to maybe enabling additional debug logs or something would be helpful. Or an actual answer as to why it's persisting.