Forum Discussion

Andrew Emmett's avatar
Andrew Emmett
Brass Contributor
Aug 11, 2022

KB5016623 Issues with AAD App Proxy

Hello

We have encountered some issues with KB5016623. The is causing the server, Win 2019 server running IIS, to crash after 5 to 10 minutes and to be unable to use AAD App Proxy connections that are setup to use Windows Authentication on the backend via kerberos.

 

We have 2 different scenarios:

  1. A webserver some legacy windows auth based apps, alongside newer apps that use modern auth. The AAD app proxy connector in also installed on the webserver. The newer apps using modern auth are working fine, but the old windows auth apps are failing to authenticate. Errors are:
    • Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The handle specified is invalid

      (0x80090301) 
      After about 5-10 minutes, the server seems to crash with this error:
      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005.The machine must now be restarted.

    • The process wininit.exe has initiated the restart of computer <ServerName> on behalf of user  for the following reason: No title for this reason could be found

       Reason Code: 0x50006

       Shut-down Type: restart

       Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819.  The system will now shut down and restart.

  2. Another server, this one only with AAD app proxy that accesses a separate SSRS Web Server with the same issues as above.

In both examples, uninstalling KB5016623 has resolved the issue. We don't seem to be seeing any issues with other servers e.g. DCs at present. It mainly seems to be the combination of KB5016623 and AAD App Proxy with Kerberos back ends.  Anyone else seeing any similar problems?

Thanks

Andy

  • Andrew Emmett 

    Hi Andrew,

     

    We had the same issue today.   Uninstalling KB016623 resolved it as well.  I've logged it with Microsoft.  Will report back when they respond. 

     

    Glen. 

  • hawkboy's avatar
    hawkboy
    Copper Contributor

    Andrew Emmett 

    Hi Andrew,

     

    We had the same issue today.   Uninstalling KB016623 resolved it as well.  I've logged it with Microsoft.  Will report back when they respond. 

     

    Glen. 

  • GeirF's avatar
    GeirF
    Copper Contributor
    Hi,

    We have same issue, on 2019 KB016623.
    Have support case with MS, but not gotten any breakthrough yet other than uninstalling the patch.
  • John_Tinson's avatar
    John_Tinson
    Copper Contributor
    Thanks for the heads up Andrew. Had issues with our WebApp Proxy this morning caused by the Windows 2012 R2 security update KB5016681. Uninstalled the update and service is operational again. I expect MS will be looking into this at some point shortly.
  • Thank you Andrew! This is the only hit on this issue. My company also hit this this morning. Uninstalling 5016623 from the 2019 Proxy Servers fixed the issue. Kudos 👍
    • Kapil_Madaan's avatar
      Kapil_Madaan
      Copper Contributor
      We have almost similar issue where AAD App Proxy Servers stops authenticating Apps, Local User Logon, RDP via Domain user.
      We opened a case with Microsoft and have been told that Its a known issue and would be fixed in November 2022 Security update.
      • freddy104's avatar
        freddy104
        Copper Contributor
        Have you or Microsoft come up with an approach to mitigate the issue when it happens?
  • Felinxandy's avatar
    Felinxandy
    Copper Contributor

    We ran into the same problem with KB5016623 today and uninstalling it fixed the issue. I’ve already logged it with Microsoft and will update once they respond. By the way, has anyone else here had experience with rotating mobile proxies?

Resources