Credential agent crashes LSASS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Credential agent crashes LSASS

L1 Bithead

Setup a 2016 RODC so I could use the Credential Agent.

As soon as I try starting the agent as system, the server pops a message that I will be force restarted in 1 minute. It non-gracefully reboots in 1 minute. I tried agent v10 and v9. Perms and settings appear fine afaik, and suppressing a/v didn't help. Palo sent me a suggestion to roll back patches before Jan or even before July of last year but that doesn't seem right, plus Jan is the baseline in my template. Has anyone experienced a similar issue and had any luck?

 

Faulting application name: lsass.exe, version: 10.0.14393.4704, time stamp: 0x615be0cd
Faulting module name: samsrv.dll, version: 10.0.14393.4886, time stamp: 0x61d5262e
Exception code: 0xc0000096
Fault offset: 0x000000000000bac6
Faulting process id: 0x298
Faulting application start time: 0x01d82bfd507c5710
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\SYSTEM32\samsrv.dll
Report Id: bf2a0ead-8af1-4d85-b595-2509ddf94f46
Faulting package full name:
Faulting package-relative application ID:

----------

The process wininit.exe has initiated the restart of computer RODC-3 on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741674. The system will now shut down and restart.

----------------

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000096. The machine must now be restarted.

43 REPLIES 43

Community Team Member

Hi @palousermatthew ,

 

Sounds like a recent MS update broke the credential detection agent. Any update/workaround from support if they are planning a fix or is rolling back currently the only option ?

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L0 Member

Hi Matthew, I have exactly the same issue. The RODC is running in Azure with the latest patches (I presume, it is a fresh one).

I have a case running with PaloAlto, hopefully there will be a fix fast....

L1 Bithead

We are having the same issue as well and had to revert patches to get it running again. Tried both v9 and v10 as wekk

L1 Bithead

Which exact patch did folks have to revert to fix this? Just the Feb CU?

L1 Bithead

We have had the issue with both the January and February CU updates 

L1 Bithead

We are experiencing this same issue. We tried to patch the server in Jan and Feb. This caused the server to go into a loop. Once the User-ID Agent service launches it triggers the server to reboot in 1 min. I disabled the User-ID agent so the server is now stable. I looked at the patch and the logs on the server. The windows patch has an update to the Lsass.exe in it. The error log right after the User-ID Agent is triggered it give the error "A Critical system process, C:\windows\system32\lsass.exe, failed with status code c0000096. The machine much now be restarted." When I rolled back the patches on the RODC server I kept getting a BSOD and had to disable the driver on the boot to get the server to load. Once this was up I had to turn the nic back on and I was allowed to launch the User-ID service. I'm trying the March patch now. I'll update what happens after the March patches are installed.

L1 Bithead

we had the same issues with the march patches as well

Still no good after the March update. If I remove the updates the server give a BSOD on boot but I can get the paloalto UserID agent to run. Apply the updates and the server boots normal but once I turn on the UserID agent the server crashes. Hope Paloalto is looking into this. 

 

L0 Member

We are having the same issue, we also have an open support ticket on this.  Only resolution at this point is to remove Jan/Feb/Mar CU. 

L1 Bithead

Thanks for all the replies. This saved me from sinking additional hours into troubleshooting.

I found this via a link in the paloaltonetworks subreddit, and was subjected to the couple of hours trying to figure out what was going on.  Luckily, I knew about the botched MS patches that caused bootloops, so uninstalling the patch tipped me off.  I then noticed that the cred agent was not connected properly to the FW, so I disabled the service and the server was stable.  As soon as I started it, I got the message that the server was going to reboot in one minute.  It doesn't even cleanly shutdown, it acts like issuing a reset in VMware.

 

The last patches that seem to work are December 2021.  Since our users continue to fail phishing test emails, I'll keep the Dec 2021 patches on the RODC for now until we get a fix.  I did open a case and recommended others do as well so it receives some priority.

Thanks for the reply and sorry I didn't reply faster on that thread. Hope this helps gain visibility.

L1 Bithead

anyone else hear back from support? Ive just been told theyre investigating....

L2 Linker

I wish...  I put in a S2 ticket last Wed, the 16th.  I did not even have my case assigned until the 18th.  Way behind on the SLA for a S2.  The current workaround is to reduce the security of the RODC, or disable the Cred agent.  I hope PAN fixes support.  Certainly a good problem to have (many new customers needing support), but not good for those of us paying for premium support, and not receiving it.    

  • 19833 Views
  • 43 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!