LSA (LsaSrv) "The security package Kerberos generated an exception. The exception information is the data." caused by NPS

I have a Windows server (2008 R2 with SP1) that runs as a domain controller, and uses Network Policy Server to authenticate Wireless 802.1X devices. There are two access points available.

Suddenly for some reason whenever one of the access points creates a RADIUS request for a wireless device trying to authenticate LSA (lsass.exe) crashes with code 255, then the system has to restart. The RADIUS request also eventually fails (code 4). I can provide a Wireshark dump of the RADIUS session if wanted.

These system events get logged:

Event #1

**USER32** (ID 1074)
The process wininit.exe has initiated the restart of computer SERVER on behalf of user  for the following reason: No title for this reason could be found
 Reason Code: 0x50006
 Shutdown Type: restart
 Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255.  The system will now shut down and restart.

Event #2

**LSA (LsaSrv)** (ID 5000)
The security package Kerberos generated an exception. The exception information is the data.

Event #3

**LSA (LsaSrv)** (ID 5000) *Two events with exactly the same data are created.*
The security package Kerberos generated an exception. The exception information is the data.

I found this article of which appeared to be the exact issue (what with Windows 7 and server 2008 R2 using the same kernel), so I applied the hotfix. Unfortunately that fixed nothing.

http://support.microsoft.com/kb/2732595

I've also tried some other common checks like running CHKDSK, SFC, a virus scan (MSE), and a rootkit revealer.

It looks like this chap is having exactly the same problem, though he never replied to say if the issue got resolved or not. (I hate people doing that)

http://social.technet.microsoft.com/Forums/windows/en-US/46c5cf7b-b844-422d-80d6-44406a51ba18/event-id-5000-the-security-package-kerberos-generated-an-exception-the-exception-information-is?forum=w7itprosecurity

Adambean

Posted 2014-05-20T03:32:49.363

Reputation: 789

Hi, my servers have been hit with the same error code. In my case it started earlier this week. The only thing I can think of is a GPO change from last week, but the servers worked fine for quite a few days after it was deployed. It only seems to affect domain accounts. Local ones are fine. The issue started on a WS2012 R2 box first and then "spread" to a WS08 R2 box on the same site. For the 08 box, the kerberos.dll is the 18409 versoin from KB2871997 (or 22616 which replaces the 22048 version provided by KB2732595). – billc.cn – 2014-06-28T00:04:02.017

I hadn't changed any GPO's recently. My server runs Kerberos.dll build 22616 too. – Adambean – 2014-06-28T14:21:04.813

Yeah, it does not seem to be group policy related. I undid the group policy settings and restarted all servers involved and the problem persists. – billc.cn – 2014-06-28T22:23:57.353

Answers

I created a fresh WS 2008 R2 SP1 system from DVD, joined the domain, applied group policy, restarted and installed NPS and RRAS. A test from a remote host proves NPS and Kerberos.dll were working correctly at this point.

I then installed KB2871997 on its own and the lsass crashed upon VPN connection, so it's pretty clear this is a bug in KB2871997.

According to its accompanied security advisory, this update seems to be a security enhancement not a bug fix, so I think it can be removed if it breaks things. I have removed it from my WS2008 R2 server and it is now working again.

(I would not exclude it from auto update list though, in case M$ publishes a new version. The current version is already v2......)

However, this update is not released separately for WS2012 R2 but as part of a security roll up. I am still trying to figure out how to uninstall it for that OS.

billc.cn

Posted 2014-05-20T03:32:49.363

Reputation: 6 821

Uninstalling KB2871997 completely resolved this issue for me. After the required restart I turned on the NPS service, got my phone to use the affected Wi-Fi network, and it connected & authenticated pretty much instantly. The server has NOT restarted, and now I've put NPS back on automatic. Very nice find my good sir, answer accepted. :) – Adambean – 2014-07-01T15:15:20.847

I think another update has put the faulty kerberos.dll version 22616 back in place. KB2871997 is not installed on my machine, but the original issue has started to happen again. Will investigate further. – Adambean – 2014-07-17T13:43:13.833

On top of removing KB2871997 you also need to remove hotfix KB2732595. This will put your kerberos.dll back to build 18489, though it's still causing this LsaSrv error. – Adambean – 2014-08-14T07:39:12.800

Installing KB2871997 again after kept it on build 18489, but the LsaSrv crash still happens with or without it. – Adambean – 2014-08-14T08:15:51.323

I have recently built a new WS08 R2 VM on one of the sites that still uses a WS08 R2 DC and it doesn't crash on VPN connection! Maybe some of the Kerberos enhancements made in KB2871997 is only effective against a WS2012 DC. – billc.cn – 2014-08-14T09:56:56.113

Just a quick note about where the bug is. Even though that hotfix might be causing the crash it might be that it takes the code down a different path and is exposing a bug in a different DLL where a function with a bug hadn't been called before. Undoubtedly removing this fix is the correct action. I just wanted to point out that it might not have a bug and when a different module is patched then this one might start working again in the future without modification. – Guy – 2015-03-15T18:59:12.853