SOLVED

Some users unable to connect to AVD. Kerberos errors after KB5019964 installed on our DC

Brass Contributor

Hi everyone,

 

Heads up to anyone who may be facing this. Walked today Monday morning to some users unable to connect to AVD. It would launch then hit them with the lock screen instantly and prompt for password (despite them just using it to log in). User could re-auth but would take them to a temp profile not FSlogix.

 

After 2 hours of stress we found our DC had installed and update on the 11th of Nov: KB5019964 - we had to remove and reboot the DC. after which all works fine again.

 

There were many events on the DC as below.

 

SYSTEM Event 14: While processing an AS request for target service krbtgt, the account XXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 23 24 -135 3. The accounts available etypes : 23 18 17. Changing or resetting the password of XXXXX will generate a proper key. ** (changing password did nothing)

 

Nothing on MS or google about this error currently as far as I know? Keen to know if anyone else faced this issue.

 

Thanks

 

7 Replies
We were given a heads up by our Microsoft TAM on Friday not to deploy the Nov patches to our domain controllers which we were planning to do on the weekend. They are aware of a bug in the patch that breaks the KDC service on DC’s.
Well that is good to know thanks. Hope this saves some time for others searching for this issue.
Imagine there will be a 'known issue' specified on the KB soon enough
best response confirmed by PaulStirling (Brass Contributor)

Hi @PaulStirling 

We are having some serious connection issues with our SQL databases and have been trying to get this update removed for the past ~6 hours -- did you run into any issues with uninstalling it?? 

We tried uninstalling it on 3 servers so far, and all 3 get stuck on reboot and spinning at "Working on updates 100%".

On one of them we booted into recovery mode with command prompt and tried removing the package with dism. It's been stuck at 98.7% for 2+ hours...

 

@abtechnick  oof sorry to hear that. Frustrating problem for sure.

 

 Only had rhe updare on one DC thankfully. Uninstaller took 5mins. Reboot quuck then sat at 100% for about 30mjns. DC was accessible in that state however some just left it going with issue immediately fixed. 

 

Seems it's a case of waiting

 

The 1st server just finished sitting at "working on updates 100%" for 4+ hours and booted back up, and the update is still there...
The 2nd server using dism just finished and is rebooting, but still stuck on "working on updates 100%"... still not sure if it actually removed it or not.

Any insight is appreciated... this is worse than malware
FYI, our Microsoft TAM has advised there will be an OOB patch being released 17/11 to fix this.
1 best response

Accepted Solutions
best response confirmed by PaulStirling (Brass Contributor)