Jump to content
Welcome to our new Citrix community!

Kerberos impersonation stops working after november update on domain controllers


Jon Anders Skorpen

Recommended Posts

Hi. We have two ADC HA pairs running different https services. Both pairs have a load balancing vserver with AAA doing SAML, and kerberos impersonation towards the backend web server.

After installing the november update on our 2019 domain controllers, this has stopped working. Half of our domain controllers are updated, and about half of our users get a 401 from the backend server, and for the rest of the users, it is working as normal. The SAML AAA vserver is working, and authenticates all users. It seems to be kerberos towards the backend which has a problem.

We have removed the november update, and after a couple of hours, it started working again for one of the HA pairs. Not yet for the other.

They are running 13.0 76.31 and 13.0 71.44.

 

The november update contains this fix, which I believe to be the problem: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

 

My question is if anyone else has experienced this with the november update on domain controllers while doing kerberos impersonation on the netscaler.

Link to comment
Share on other sites

4 hours ago, Jon Anders Skorpen said:

Hi. We have two ADC HA pairs running different https services. Both pairs have a load balancing vserver with AAA doing SAML, and kerberos impersonation towards the backend web server.

After installing the november update on our 2019 domain controllers, this has stopped working. Half of our domain controllers are updated, and about half of our users get a 401 from the backend server, and for the rest of the users, it is working as normal. The SAML AAA vserver is working, and authenticates all users. It seems to be kerberos towards the backend which has a problem.

We have removed the november update, and after a couple of hours, it started working again for one of the HA pairs. Not yet for the other.

They are running 13.0 76.31 and 13.0 71.44.

 

The november update contains this fix, which I believe to be the problem: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

 

My question is if anyone else has experienced this with the november update on domain controllers while doing kerberos impersonation on the netscaler.

 

Similar issues here (Azure SAML to KCD; 401 errors), suspecting the same cause. PAC errors show on domain controller logs. Have not removed updates yet, still testing.

 

nskrb.log shows

ns_process_kcd_req s4u2proxy sending reject to kernel because of error -1765328343

 

  • Like 1
Link to comment
Share on other sites

11 hours ago, STEVEN ROTH said:

 

Similar issues here (Azure SAML to KCD; 401 errors), suspecting the same cause. PAC errors show on domain controller logs. Have not removed updates yet, still testing.

 

nskrb.log shows

ns_process_kcd_req s4u2proxy sending reject to kernel because of error -1765328343

 

Excellent. This is exactly what we see on our domain controllers. Couldn't find nskrb.log (only nskrb.debug which seems to be real time output), so im not sure if we got those.

 

We have opened a case with citrix support, and have mentioned that we suspect the november update from microsoft.

Link to comment
Share on other sites

42 minutes ago, Carl Stalhood1709151912 said:

Almost certainly is the case. DC's in my environment 2012R2, so not limited to 2019. While I have the opportunity: thank you Carl for all your contributions, you are a legend.

  • Like 1
Link to comment
Share on other sites

KCD is affected also and it doesn't help do disable the new security setting on the DC's trough registry :-(

 

I tried: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc PacRequestorEnforcement=0 and rebooted every DC, but issue persists.

 

TGT and S4U tickets are created on the NetScaler but TGS ticket fails with error  "ns_kgetcred krb5_get_creds returned -1765328343"

 

Any help is highly appreciated.

 

Edit: Uninstalling the Nov. update on all DC's helps but after rebooting all DC's it took several hours to fix the Kerberos problems.

Edited by Eckart Gutzeit
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...