LSA (LsaSrv) "The security package Kerberos generated an exception. The exception information is the data." caused by NPS

windows-server-2008-r2 kerberos lsass network-policy-server

I have a Windows server (2008 R2 with SP1) that runs as a domain controller, and uses Network Policy Server to authenticate Wireless 802.1X devices. There are two access points available.

Suddenly for some reason whenever one of the access points creates a RADIUS request for a wireless device trying to authenticate LSA (lsass.exe) crashes with code 255, then the system has to restart. The RADIUS request also eventually fails (code 4). I can provide a Wireshark dump of the RADIUS session if wanted.

These system events get logged:

Event #1

**USER32** (ID 1074)
The process wininit.exe has initiated the restart of computer SERVER on behalf of user  for the following reason: No title for this reason could be found
 Reason Code: 0x50006
 Shutdown Type: restart
 Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255.  The system will now shut down and restart.

Event #2

**LSA (LsaSrv)** (ID 5000)
The security package Kerberos generated an exception. The exception information is the data.

Event #3

**LSA (LsaSrv)** (ID 5000) *Two events with exactly the same data are created.*
The security package Kerberos generated an exception. The exception information is the data.

I found this article of which appeared to be the exact issue (what with Windows 7 and server 2008 R2 using the same kernel), so I applied the hotfix. Unfortunately that fixed nothing.

http://support.microsoft.com/kb/2732595

I've also tried some other common checks like running CHKDSK, SFC, a virus scan (MSE), and a rootkit revealer.

It looks like this chap is having exactly the same problem, though he never replied to say if the issue got resolved or not. (I hate people doing that)

http://social.technet.microsoft.com/Forums/windows/en-US/46c5cf7b-b844-422d-80d6-44406a51ba18/event-id-5000-the-security-package-kerberos-generated-an-exception-the-exception-information-is?forum=w7itprosecurity


I created a fresh WS 2008 R2 SP1 system from DVD, joined the domain, applied group policy, restarted and installed NPS and RRAS. A test from a remote host proves NPS and Kerberos.dll were working correctly at this point.

I then installed KB2871997 on its own and the lsass crashed upon VPN connection, so it's pretty clear this is a bug in KB2871997.

According to its accompanied security advisory, this update seems to be a security enhancement not a bug fix, so I think it can be removed if it breaks things. I have removed it from my WS2008 R2 server and it is now working again.

(I would not exclude it from auto update list though, in case M$ publishes a new version. The current version is already v2......)

However, this update is not released separately for WS2012 R2 but as part of a security roll up. I am still trying to figure out how to uninstall it for that OS.

Related

Internet connection fails in Ubuntu on VirtualBox when virtual machine is created from "Import appliance"
Expectations for NTFS file recovery
Can I setup two RAID arrays on a single intel z97 controller?
Why does "Windows Games Explorer" attempt to access the internet whenever I launch a game?
Why doesn't usual Drag&Drop work in Windows 10?
Can I safely migrate a ZFS pool from FreeBSD to Ubuntu?
Create a shortcut for Notepad++ to reopen a closed tab?
Where does msinfo32.exe get it's data from?
Windows 8.1 file explorer is Super slow
Import ovf and/or vmdk to Hyper-V
Where to download, or find a list of all the Windows updates?
Make an existing VM immutable