Forum Discussion
Solved
KB5016623 Issues with AAD App Proxy
Hello We have encountered some issues with KB5016623. The is causing the server, Win 2019 server running IIS, to crash after 5 to 10 minutes and to be unable to use AAD App Proxy connections that ar...
Hi Andrew,
We had the same issue today. Uninstalling KB016623 resolved it as well. I've logged it with Microsoft. Will report back when they respond.
Glen.
No one is safe apparently 🙂
Anyone else using "RunAsPPL LSA Protections on the servers?
As part of debug with MS I had to remove the RunAaPPL reg key to be able to trace lsass.
To my surprise the AAD App Proxy started working after removing reg key and reboot server, with KB5016681 installed.
Ref: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
I have removed the RunAaPPL key from some standby servers (we deploy the key as standard practice) and provisionally I think things are working. My production servers are still running without KB5016623 and I can’t risk the instability at the moment as I work in education and the next few days are the most important of the year.
However, to test, I have routed a few non essential web sites through backup servers running AAD proxy and the latest server patch (Aug 23rd - KB5016690) with RunAaPPL key removed and both Windows Auth and Modern Auth websites are working as expected. So, I feel confident that this might be the answer.
I found that servers crashed more quickly when the server was under load, so will need to see what the nest few days brings. If my fully patched servers last until Monday without crashing & rebooting, I’ll update the production servers again.
Fingers crossed
- GeirF. I was mistaken, I did have RunAaPPL enabled. I also disabled the ASR rule so I don't know if that has any impact. When its safe to try I will reenable the ASR LSASS rule and update the thread for anyone interested. Also, if anyone has any idea how to disable this in Azure it would be greatly appreciated. As per the doc UEFI boxes can tattoo the setting in its UEFI. MS offers a efi file to help remove the setting but requires access to UEFI to accept the setting change. To my knowledge this is not possible in Azure so I just moved the apps to on prem proxies till I rebuild or figure that part out. Thanks again!
- To get access to UEFI on an Azure machine I think you will be able if you use a "Repair VM with nested hyper-v".
Ref the "Repair VM with Nested Hyper-V example":
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/repair-windows-vm-using-azure-virtual-machine-repair-commands
- I don't use that, but I do use the ASR for LSASS, which is basically the same thing... Good to know I will look at disabling that on the app proxies for now.
