krbtgt even 37

Shahin Mortazave 491 Reputation points
2022-01-06T13:40:59.403+00:00

Hi,

We have a mix of server 2012 and 2016 and 2019 DC's in our domain. in the system even logs of the DC's I see the event 37

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Ticket PAC constructed by: DCSERV5
Client: Mydomain.LOCAL\SERVER$
Ticket for: krbtgt

I understand that this event has something to do with the November updates we install the November updates on all of our DC's, and the DCSERV5 was the last server that didn't have the November updates, this server is server 2012 and I had to install the kb5008277 but it looks like that this update has been taken over by KB5008277, so I did install KB5008277 on the server 2012, so now all of the DC's are up to date and my understanding was that when all of the DC's are up to date this event should be disappeared, but as I mentioned we see still this event.
Any suggestions?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,351 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2022-01-06T13:50:58.96+00:00

    Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB

    Then it looks like you may get one warning for every user.

    https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
    Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.

    the PacRequestorEnforcement registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Limitless Technology 39,711 Reputation points
    2022-01-07T11:15:32.737+00:00

    Hello ShahinMortazave

    You probably are missing the security patch kb5008380 an actions described in the next article:

    https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

    For patching the servers you will need the next packages available in the next official security document depending on the system version, on the "Security Updates" section:

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Shahin Mortazave 491 Reputation points
    2022-01-07T12:25:56.433+00:00

    Thank you for your reply,
    As I have mentioned all of the Dc's or have the November updates or the December updates.

    I see these updates on my DC's:
    1XKB5007206
    1XKB5007260
    2XKB5007247
    2XKB5007247

    two of the DC's have the KB5007247 instead of KB5007260, now the event of other DC's shows one of these 2 DC's in thier system events. Can we still install the KB5007260 on these 2 DC's? or because the KB5007247 has replace the KB5007260, would it be enough? but if is enough why still we see the name of this DC in the event logs of other DC's?

    Thanks

    0 comments No comments

  3. Anonymous
    2022-01-07T14:00:41.937+00:00

    KB5007247 applies to 2012 R2, KB5007260 applies only to 2012 (non R2) so not interchangeable. You'll may get one event for every user. See my post above.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

  4. Shahin Mortazave 491 Reputation points
    2022-01-11T09:04:34.94+00:00

    It looks like that since 01/08/22 event 37 stop getting logged, I guess it just needed some times.
    Thanks you for your suggestions.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.