Forum Discussion
Solved
KB5016623 Issues with AAD App Proxy
Hello We have encountered some issues with KB5016623. The is causing the server, Win 2019 server running IIS, to crash after 5 to 10 minutes and to be unable to use AAD App Proxy connections that ar...
Hi Andrew,
We had the same issue today. Uninstalling KB016623 resolved it as well. I've logged it with Microsoft. Will report back when they respond.
Glen.
Anyone else using "RunAsPPL LSA Protections on the servers?
As part of debug with MS I had to remove the RunAaPPL reg key to be able to trace lsass.
To my surprise the AAD App Proxy started working after removing reg key and reboot server, with KB5016681 installed.
Ref: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
GeirF. I was mistaken, I did have RunAaPPL enabled. I also disabled the ASR rule so I don't know if that has any impact. When its safe to try I will reenable the ASR LSASS rule and update the thread for anyone interested. Also, if anyone has any idea how to disable this in Azure it would be greatly appreciated. As per the doc UEFI boxes can tattoo the setting in its UEFI. MS offers a efi file to help remove the setting but requires access to UEFI to accept the setting change. To my knowledge this is not possible in Azure so I just moved the apps to on prem proxies till I rebuild or figure that part out. Thanks again!
- To get access to UEFI on an Azure machine I think you will be able if you use a "Repair VM with nested hyper-v".
Ref the "Repair VM with Nested Hyper-V example":
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/repair-windows-vm-using-azure-virtual-machine-repair-commands