Hi Chris,
Already viewed multiple other targets (same subnets, some network configuration) VM and Physical machines that yet again got disconnected from the TS. (yesterday I 1st only noticed VM's but later saw others as well).
Indeed when reverted the NTLM , all targets have successfully return online, but this is a weak workaround, since every restart of the SMP or TS, the NTLM settings are reset back to the original state (since the Jan22 Patches are implemented).
Is there any expected additional solution for this issue in Microsoft's Feb22 patches? Or Broadcom's fix let of some sort?
I know you are working on a chance of the entire SMP upgrade to 8.6 RU2 (+) to have the 3-part authenticate to get changed to 2-part, but that will require a full system (ITMS) upgrade, which if not necessary at this point, I wouldn't be so thread to perform just for the NTLM issue without knowing 100% resolves all targets.
The problem is the sporadic behavior of this issue, since I can pinpoint and find the root cause that some targets lose connectivity and others don't, if they are on the same network, same image, same OS, physical or VM, and yet , 1 act different than the other (if the NTLM isn't set as priority)
Any ideas?
Tnx,
Hagai
---------------------------------------------------------------------
A member of the Intel Corporation group of companies
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
Original Message:
Sent: 2/8/2022 8:39:00 PM
From: Chris Farrell
Subject: RE: Task Server Unavailable RE MS22-01-W10-5009543
I would look for what is different network wise with those systems - for example, do they have line-of-sight to a domain controller? Are they hitting the task server and getting denied? If so, they likely are unable to secure a Kerberos ticket. You can test by switching the provider to NTLM on the task server it is attempting to connect to and see if it then succeeds - then you know there is likely a problem connecting to a DC.
Original Message:
Sent: Feb 07, 2022 04:02 PM
From: Hagai Nachmani
Subject: Task Server Unavailable RE MS22-01-W10-5009543
hi Chris, noticed that some VMs servers still have the issue appear on them (end targets), while they , the TS and the SMP all have the latest Microsoft KB's and the NTLM on the SMP and TS already set properly (back to it's original settings), and the SPN were properly initiated and implemented.
have you (or any others) encountered such behavior, and know what needs to be done?
(noticed it on VM win2016 and Win10 - but not all - so i have no idea what is the difference between the working to the none working targets, and have already tried to reinstall the ITMS agent , and still can't find the proper root cause.
tnx,
Hagai
Original Message:
Sent: Jan 30, 2022 01:09 PM
From: Chris Farrell
Subject: Task Server Unavailable RE MS22-01-W10-5009543
Hi Hagai,
We have removed the workarounds involving changes to IIS - if you reload the article you will see the current recommendations for resolving the issues seen. Please see the Microsoft article (which is now linked in the Broadcom article) that explains why various applications are failing. The article explains that in such environments, "... it is likely that Kerberos authentication for 3-part SPNs has not worked for some time."
https://support.microsoft.com/en-us/topic/kb5011233-protections-in-cve-2022-21920-may-block-ntlm-authentication-if-kerberos-authentication-is-not-successful-dd415f99-a30c-4664-ba37-83d33fb071f4
Original Message:
Sent: Jan 30, 2022 01:44 AM
From: Hagai Nachmani
Subject: Task Server Unavailable RE MS22-01-W10-5009543
Thank you Chris,
Yes, seeing all the commotion and the buzz around this KB in the past week.
Still hoping to hear about a permanent solution from MS / Broadcom that won't require a daily check to see if the NTLM configuration remains as was set.
Tnx,
Hagai
---------------------------------------------------------------------
A member of the Intel Corporation group of companies
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
Original Message:
Sent: 1/28/2022 12:33:00 PM
From: Chris Farrell
Subject: RE: Task Server Unavailable RE MS22-01-W10-5009543
The KB article is now updated with the recommended resolution steps.
https://knowledge.broadcom.com/external/article/232242/
Original Message:
Sent: Jan 19, 2022 07:17 AM
From: Hagai Nachmani
Subject: Task Server Unavailable RE MS22-01-W10-5009543
So now previously non connected Windows 2012 targets to any TS are OK?
Was the IIS procedure impactful on any other aspect? Is there any risk touching the NS IIS for this action?
Tnx,
Hagai
---------------------------------------------------------------------
A member of the Intel Corporation group of companies
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
Original Message:
Sent: 1/19/2022 6:43:00 AM
From: Dylan Thomas
Subject: RE: Task Server Unavailable RE MS22-01-W10-5009543
Good day all,
For some reason the IIS NTLM authentication promotion wasn't working on these site servers, we've now managed to get this working.
Kind Regards,
Dylan
Original Message:
Sent: Jan 18, 2022 08:54 AM
From: Dylan Thomas
Subject: Task Server Unavailable RE MS22-01-W10-5009543
Good day all,
We've been trying to fix the problems/mess caused by :
Bulletin: MS22-01-W10-5009543, Update: windows10.0-kb5009543-x64.msu prevents endpoints from registering to task server (broadcom.com)
(thanks Microsoft)
Our SMP is working no problem, the primary site server is also working without a problem, but we have 2 other site servers that exhibit the symptoms described in this bulletin even after the KB's have been uninstalled, server restarted. Clients are getting the exact same message and are unable to register to these Task Servers.
Anyone have any other fixes, do we need to modify anything else?
Kind Regards,
Dylan