Symptoms or Error
- VDAs fail to get registered with the Cloud Connectors in Citrix DaaS & with DDCs in CVAD on-premise environments after applying Microsoft Update KB5019966 (2019 OS) or KB5019964 (2016 OS).
Cloud Connector CDF error:
BrokerProxyPlugin.LocalTest - Failed to test the VDA communication - System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://10.x.x.x/Citrix/VirtualDesktopAgent/IQueryAgent'; for target 'http://10.x.x.x/Citrix/VirtualDesktopAgent/IQueryAgent'; failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: The Security Support Provider Interface (SSPI) negotiation failed.
- Gpupdate /force also fails with the error :
- Event ID 14 , Error event with source Microsoft-Windows-Kerberos-Key-Distribution-Center is logged in the System section of Event Log on your Domain Controller with the below text. Note: affected events will have "the missing key has an ID of 1":`
Solution
Work-Around 1: Implementing the released Microsoft Out-of-Band (OOB) cycle KB hotfixes:
Standalone Updates are available for below Operating Systems as they are also effected by respective November 8 Microsoft updates.
- Windows Server 2012 R2: KB5021653
- Windows Server 2012: KB5021652
- Windows Server 2008 R2 SP1: KB5021651 (released November 18, 2022)
- Windows Server 2008 SP2: KB5021657
Reference Article: https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#2961
Work-Around 2:The workaround provided by Microsoft is to set the following registry key on all AD Domain Controllers:
-
reg add HKLM\System\currentcontrolset\services\kdc /t REG_DWORD /v ApplyDefaultDomainPolicy /d 0 /f
- Customers are requested to engage MS support for a permanent resolution.
Work-Around 3:
- Temporarily remove the KB5019966 or KB5019964 after verifying with any internal Security Teams or Microsoft Support until a full resolution can be provided.
Problem Cause
For additional details, Microsoft has released a Windows OS Patch for the Domain Controllers that makes corrections to the security vulnerabilities within Netlogon and Kerberos protocols outlined in CVE-2022-38023, CVE-2022-37966, and CVE-2022-37967. The errors were observed after implementing the specific update November 8, 2022—KB5019966 (OS Build 17763.3650) (microsoft.com), on Domain Controllers, Citrix Delivery Controllers and Citrix Cloud Connectors.
For deployment guidance on what this KB corrects, see the following:
- KB5020805: How to manage the Kerberos Protocol changes related to CVE-2022-37967
- KB5021130: How to manage Netlogon Protocol changes related to CVE-2022-38023
- KB5021131: How to manage the Kerberos Protocol changes related to CVE-2022-37966
Additional Resources
- https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#2961
- https://support.microsoft.com/en-gb/topic/november-8-2022-kb5019966-os-build-17763-3650-b09dad62-5cd7-47cd-992f-b7d01f2956c1
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797