Microsoft has addressed an LSASS memory leak issue on some domain controllers that led to freezes and restarts after installing Windows Server updates released during last month’s Patch Tuesday.
“After installing the November 2022/Out of Band update on your domain controllers you might experience a memory leak happening within LSASS.exe (Local Security Authority Subsystem Service),” triggering domain controller performance, operational failures, and/or reliability issues as David Fisher, a Principal Product Manager at Microsoft, said on Tuesday.
“If you have already patched your domain controllers, the December 13, 2022 security update should resolve the known memory leak that is happening within LSASS.exe at this time.”
LSASS enforces Windows security policies and handles user logins. If it crashes, logged-in users immediately lose access to Windows accounts on the machine after being shown a restart error followed by a system reboot.
Redmond acknowledged the issue in late November, two weeks after the updates were issued, saying that it affects multiple Windows Server versions, including Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.
At the time, the company also added that out-of-band Windows updates pushed out to address authentication problems on Windows domain controllers might also be affected.
Workaround also available
For admins who still need to install the December 2022 Patch Tuesday updates, Redmond also provides a temporary solution to work around domain controller instability in their environments.
The workaround requires admins to set the KrbtgtFullPacSignature registry key (used to gate CVE-2022-37967 Kerberos protocol changes) to 0 using the following command:
reg add “HKLMSystemCurrentControlSetservicesKDC” -v “KrbtgtFullPacSignature” -d 0 -t REG_DWORD
After applying this month’s patches to resolve the domain controller issues, admins have to edit the registry key to a higher value.
“Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow,” Microsoft said.
“It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967.”
In March, Microsoft fixed another known issue leading to Windows Server domain controller reboots because of LSASS crashes.
In November, Redmond issued emergency out-of-band (OOB) updates to fix domain controller sign-in failures and other auth problems also caused by last month’s Patch Tuesday Windows updates.
