37 Kerberos-Key-distribution-Center

Anser Leon 41 Reputation points
2022-03-09T20:50:34.957+00:00

Hello there,

I have several DCs in my network (2012 Standard , 2016 Standard). One of my DCs keeps repeating the following error :
Event ID 37
Source : Kerberos-Key-Distribution-Center

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Ticket PAC constructed by: servername
Client: domain\username
Ticket for: krbtgt

I already followed the instructions on this link : https://go.microsoft.com/fwlink/?linkid=2173051 and setup every DC with the enforced registry key :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc

I know this will be deployed by different phases.

However I still have a few questions :

  1. Is it normal to keep getting the error after we setup the enforced key on every DC ?
  2. Is there a way to make the error go away ?
  3. Is manually entering the enforcement key part of the process ?

Thanks in Advance.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,374 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,532 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,169 questions
0 comments
Accepted answer
  1. Dave Patrick 426.1K Reputation points MVP
    2022-03-09T21:49:37.58+00:00

    Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB

    Then it looks like you may get one warning for every user.

    https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
    Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.

    the PacRequestorEnforcement registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jdharvey 0 Reputation points
    2023-07-20T15:31:03.26+00:00

    I still cannot resolve my issue. I have all of my DC's updated and patched. The errors are only coming from 1 DC and it is a Windows Server 2022 domain controller. I am constantly getting Event 37, for the same users multiple times. I have 12 DC's and just this one is having this issue.

    I am not sure what else to do at this point. I am having issues with RDP, and other kerberos related authentication. The only way around the RDP auth issue is to use the IP address, or sometimes to reboot DC's.

    App servers will fail SSO using Kerberos, which requires a reboot of the DC that the user is authenticating from.

    0 comments