[go: nahoru, domu]
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback
Sign in
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback

Customers who viewed this article also viewed
banner icon

Identify Changes in NetScaler build files with

File Integrity Monitoring

Learn More Watch Video
CTX474888 {{tooltipText}}

VDA Machines Fail to Register After Microsoft Update KB5019966 or KB5019964

Article | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
download Why can't I download this file? Log in to Verify Download Permissions

Symptoms or Error

  • VDAs fail to get registered with the Cloud Connectors in Citrix DaaS & with DDCs in CVAD on-premise environments after applying Microsoft Update KB5019966 (2019 OS) or KB5019964 (2016 OS).


Cloud Connector CDF error:

BrokerProxyPlugin.LocalTest - Failed to test the VDA communication - System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://10.x.x.x/Citrix/VirtualDesktopAgent/IQueryAgent'; for target 'http://10.x.x.x/Citrix/VirtualDesktopAgent/IQueryAgent'; failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: The Security Support Provider Interface (SSPI) negotiation failed.

  • Gpupdate /force also fails with the error :
"The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
  •  Event ID 14 , Error event with source Microsoft-Windows-Kerberos-Key-Distribution-Center is logged in the System section of Event Log on your Domain Controller with the below text. Note: affected events will have "the missing key has an ID of 1":`
While processing an AS request for target service <service>, the account <account name> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of <account name> will generate a proper key.

Solution

Work-Around 1: Implementing the released Microsoft Out-of-Band (OOB) cycle KB hotfixes:


Standalone Updates are available for below Operating Systems as they are also effected by respective November 8 Microsoft updates.
 

Reference Article: https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#2961

Work-Around 2:The workaround provided by Microsoft is to set the following registry key on all AD Domain Controllers:

  • reg add HKLM\System\currentcontrolset\services\kdc /t REG_DWORD /v ApplyDefaultDomainPolicy /d 0 /f
  • Customers are requested to engage MS support for a permanent resolution.

Work-Around 3:
  • Temporarily remove the KB5019966 or KB5019964 after verifying with any internal Security Teams or Microsoft Support until a full resolution can be provided. 

Problem Cause

As Citrix will utilize Kerberos for Authentication, Registration and several other items, it's important to check if the KB5019966 has been installed on the Domain Controllers, Citrix Delivery Controllers or Citrix Cloud Connectors. The updates to Kerberos can also have additional side effects like not being able to GPUpdate /Force, join a server to a domain, or anything else that may use Kerberos.

For additional details, Microsoft has released a Windows OS Patch for the Domain Controllers that makes corrections to the security vulnerabilities within Netlogon and Kerberos protocols outlined in CVE-2022-38023, CVE-2022-37966, and CVE-2022-37967. The errors were observed after implementing the specific update November 8, 2022—KB5019966 (OS Build 17763.3650) (microsoft.com), on Domain Controllers, Citrix Delivery Controllers and Citrix Cloud Connectors. 

For deployment guidance on what this KB corrects, see the following:
  • KB5020805: How to manage the Kerberos Protocol changes related to CVE-2022-37967
  • KB5021130: How to manage Netlogon Protocol changes related to CVE-2022-38023
  • KB5021131: How to manage the Kerberos Protocol changes related to CVE-2022-37966

Additional Resources

Disclaimer

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
Page feedback
Name is required
Cancel Submit

Featured Products

Failed to load featured products content, Please try again .

{{ getHeading('digitalWorkspaces') }}

{{ getHeading('networking') }}

View support numbers
Share this page