37 Kerberos-Key-distribution-Center

Anser Leon 41 Reputation points
2022-03-09T20:50:34.957+00:00

Hello there,

I have several DCs in my network (2012 Standard , 2016 Standard). One of my DCs keeps repeating the following error :
Event ID 37
Source : Kerberos-Key-Distribution-Center

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Ticket PAC constructed by: servername
Client: domain\username
Ticket for: krbtgt

I already followed the instructions on this link : https://go.microsoft.com/fwlink/?linkid=2173051 and setup every DC with the enforced registry key :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc

I know this will be deployed by different phases.

However I still have a few questions :

  1. Is it normal to keep getting the error after we setup the enforced key on every DC ?
  2. Is there a way to make the error go away ?
  3. Is manually entering the enforcement key part of the process ?

Thanks in Advance.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,548 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,611 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,481 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2022-03-09T21:49:37.58+00:00

    Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB

    Then it looks like you may get one warning for every user.

    https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
    Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.

    the PacRequestorEnforcement registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


5 additional answers

Sort by: Most helpful
  1. Jdharvey 0 Reputation points
    2023-05-23T16:24:35.8566667+00:00

    I have fully patched all DC's and still receiving Event 37, Kerberos-Key-Distribution-Center repeatedly on accounts. I read that you should get one per user, I am getting multiple per user, per day.

    I am not sure what else to do at this point. I am having issues with RDP, and other kerberos related authentication. The only way around the RDP auth issue is to use the IP address, or sometimes to reboot DC's.

    App servers will fail SSO using Kerberos, which requires a reboot of the DC that the user is authenticating from.

    0 comments No comments

  2. TI 0 Reputation points
    2023-06-07T22:50:28.0733333+00:00

    I am experiencing the same exact problem as Jdharvey. Hoping someone would post a solutions. My last resort is to rebuild the DC. Not even sure if this will resolve this issue.

    0 comments No comments

  3. Lepto92 0 Reputation points
    2023-06-13T12:18:54.1466667+00:00

    Hi,

    Did you find a solution at your problem i Have exactly same issue after first install of 2019DC on 2008R2 forest.

    So i don't Know if i have to decommission all 2008R2 DC and it will be find or not.

    Or do i have to install all patches included in the article manually because i don't have extended support so no more updates.

    I'm a little bit confused about which patch i have to install 

    On 2019 they are already up to date do i need to do something ?

    Thanks in advanced 

    0 comments No comments

  4. TI 0 Reputation points
    2023-06-26T20:22:35.38+00:00

    NOT the answer but feeling like I'm getting closer to a solutions. As mentioned on my earlier post, I am experiencing the same issue (Event ID 37) as the post above and also prevents users from being able to RDP. This is not the solution, rather a workaround which is better that having to constantly reboot the DC. I narrowed it down and found that by temporary disabling the kdc service or disabling the NIC, the affected users were successfully able RDP. I know it's not much but hoping this information helps someone might use this information to find a permanent solution.

    My setup - 3 Windows 2019 Domain servers, schema 2016 and only one DC is generating Event ID 37. This culprit DC is also the only one fully patched. I'm hesitant on patching the rest as I am worried this my trigger more problems afterwards.

    I found the following articles/forums useful to some degree, although none helped resolve this issue.

    https://techcommunity.microsoft.com/t5/windows-it-pro-blog/latest-windows-hardening-guidance-and-key-dates/ba-p/3807832

    https://my.f5.com/manage/s/article/K40933118

    https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3052


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.