MicrosoftThanks for posting about this. I have noticed these errors and finally have an explanation. Another good way to confirm the issue exists is to enable Kerberos logging to the SYSTEM event log on your print client:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters" -Name LogLevel -Type DWORD -Value 1 -Force
The Print Nightmare artifacts will appear in the System event log under Security-Kerberos Event ID 3 and look like this:
A Kerberos error message was received:
on logon session
Client Time:
Server Time: 11:2:33.0000 3/14/2023 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: domain.com
Server Name: krbtgt/NT Authority
Target Name: krbtgt/NT mailto:email address removed for privacy reasons
My system has not logged a single krbtgt/NT Authority Kerberos error since setting the RpcNamedPipeAuthentication registry value. This value should significantly reduce the amount of erroneous Kerberos traffic sent to our DCs.
Here are the commands I used to test on a single system:
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" -Name RpcNamedPipeAuthentication -Type DWORD -Value 2 -Force
Restart-Service Spooler