Forum Discussion
KB5016623 Issues with AAD App Proxy
Hello
We have encountered some issues with KB5016623. The is causing the server, Win 2019 server running IIS, to crash after 5 to 10 minutes and to be unable to use AAD App Proxy connections that are setup to use Windows Authentication on the backend via kerberos.
We have 2 different scenarios:
- A webserver some legacy windows auth based apps, alongside newer apps that use modern auth. The AAD app proxy connector in also installed on the webserver. The newer apps using modern auth are working fine, but the old windows auth apps are failing to authenticate. Errors are:
- Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The handle specified is invalid
(0x80090301)
After about 5-10 minutes, the server seems to crash with this error:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005.The machine must now be restarted. The process wininit.exe has initiated the restart of computer <ServerName> on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shut-down Type: restart
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.
- Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The handle specified is invalid
- Another server, this one only with AAD app proxy that accesses a separate SSRS Web Server with the same issues as above.
In both examples, uninstalling KB5016623 has resolved the issue. We don't seem to be seeing any issues with other servers e.g. DCs at present. It mainly seems to be the combination of KB5016623 and AAD App Proxy with Kerberos back ends. Anyone else seeing any similar problems?
Thanks
Andy
Hi Andrew,
We had the same issue today. Uninstalling KB016623 resolved it as well. I've logged it with Microsoft. Will report back when they respond.
Glen.
- hawkboyCopper Contributor
Hi Andrew,
We had the same issue today. Uninstalling KB016623 resolved it as well. I've logged it with Microsoft. Will report back when they respond.
Glen.
- GeirFCopper ContributorHi,
We have same issue, on 2019 KB016623.
Have support case with MS, but not gotten any breakthrough yet other than uninstalling the patch. - John_TinsonCopper ContributorThanks for the heads up Andrew. Had issues with our WebApp Proxy this morning caused by the Windows 2012 R2 security update KB5016681. Uninstalled the update and service is operational again. I expect MS will be looking into this at some point shortly.
- Andrew_AllstonIron ContributorNo one is safe apparently 🙂
- GeirFCopper Contributor
Anyone else using "RunAsPPL LSA Protections on the servers?
As part of debug with MS I had to remove the RunAaPPL reg key to be able to trace lsass.
To my surprise the AAD App Proxy started working after removing reg key and reboot server, with KB5016681 installed.
Ref: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- Andrew_AllstonIron ContributorThank you Andrew! This is the only hit on this issue. My company also hit this this morning. Uninstalling 5016623 from the 2019 Proxy Servers fixed the issue. Kudos 👍
- Curro_SotoCopper Contributor
Hi!
We had exactly the same issue , but with 2016 servers and KB5016622.
Unistall this KB fixed the issue.
- Algiopio57Copper ContributorNice info dude thx
- Kapil_MadaanCopper ContributorWe have almost similar issue where AAD App Proxy Servers stops authenticating Apps, Local User Logon, RDP via Domain user.
We opened a case with Microsoft and have been told that Its a known issue and would be fixed in November 2022 Security update.- freddy104Copper ContributorHave you or Microsoft come up with an approach to mitigate the issue when it happens?
- FelinxandyCopper Contributor
We ran into the same problem with KB5016623 today and uninstalling it fixed the issue. I’ve already logged it with Microsoft and will update once they respond. By the way, has anyone else here had experience with rotating mobile proxies?