Forum Discussion
Solved
KB5016623 Issues with AAD App Proxy
Hello We have encountered some issues with KB5016623. The is causing the server, Win 2019 server running IIS, to crash after 5 to 10 minutes and to be unable to use AAD App Proxy connections that ar...
Hi Andrew,
We had the same issue today. Uninstalling KB016623 resolved it as well. I've logged it with Microsoft. Will report back when they respond.
Glen.
Thanks for the heads up Andrew. Had issues with our WebApp Proxy this morning caused by the Windows 2012 R2 security update KB5016681. Uninstalled the update and service is operational again. I expect MS will be looking into this at some point shortly.
- No one is safe apparently 🙂
Anyone else using "RunAsPPL LSA Protections on the servers?
As part of debug with MS I had to remove the RunAaPPL reg key to be able to trace lsass.
To my surprise the AAD App Proxy started working after removing reg key and reboot server, with KB5016681 installed.
Ref: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protectionI have removed the RunAaPPL key from some standby servers (we deploy the key as standard practice) and provisionally I think things are working. My production servers are still running without KB5016623 and I can’t risk the instability at the moment as I work in education and the next few days are the most important of the year.
However, to test, I have routed a few non essential web sites through backup servers running AAD proxy and the latest server patch (Aug 23rd - KB5016690) with RunAaPPL key removed and both Windows Auth and Modern Auth websites are working as expected. So, I feel confident that this might be the answer.
I found that servers crashed more quickly when the server was under load, so will need to see what the nest few days brings. If my fully patched servers last until Monday without crashing & rebooting, I’ll update the production servers again.
Fingers crossed
