Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Credential agent crashes LSASS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Credential agent crashes LSASS

L1 Bithead

Setup a 2016 RODC so I could use the Credential Agent.

As soon as I try starting the agent as system, the server pops a message that I will be force restarted in 1 minute. It non-gracefully reboots in 1 minute. I tried agent v10 and v9. Perms and settings appear fine afaik, and suppressing a/v didn't help. Palo sent me a suggestion to roll back patches before Jan or even before July of last year but that doesn't seem right, plus Jan is the baseline in my template. Has anyone experienced a similar issue and had any luck?

 

Faulting application name: lsass.exe, version: 10.0.14393.4704, time stamp: 0x615be0cd
Faulting module name: samsrv.dll, version: 10.0.14393.4886, time stamp: 0x61d5262e
Exception code: 0xc0000096
Fault offset: 0x000000000000bac6
Faulting process id: 0x298
Faulting application start time: 0x01d82bfd507c5710
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\SYSTEM32\samsrv.dll
Report Id: bf2a0ead-8af1-4d85-b595-2509ddf94f46
Faulting package full name:
Faulting package-relative application ID:

----------

The process wininit.exe has initiated the restart of computer RODC-3 on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741674. The system will now shut down and restart.

----------------

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000096. The machine must now be restarted.

43 REPLIES 43

L1 Bithead

Latest from palo:

 

"This issue will be fixed with the next software release and we do not have any updates for the ETR yet.
I will let you know when we have an update."

Thanks for the update @Magnus_App

 

By chance did you capture whether Palo mean tPAN-OS release or credential agent release?

Looking for help? Talk to an expert:
digitalscepter.com

Waiting on an updated UserID/Credential agent. 10.0.5 is the target release for the fix.  

No but I'm assuming it will be a new agent release

L0 Member

Running into this exact issue, any solutions out there or updates?

The last news I have on my ticket which was escalated, just says they are aware and working on a fix, but no timeline.  There are a number of teams involved, which is also why it is taking a long time for a fix.  

 

Since MS likely made changes to making getting creds more difficult, I am sure this is a good challenge for PAN.  I am guessing PAN may have to work directly with MS somehow.

 

This is such a great feature, and I hope they come up with a solution soon.

Just had the issue again on our side. Will be monitoring for this new version.

L1 Bithead

Has anyone had any success or updates on this? I have a case open with TAC but no response yet.

L1 Bithead

Hello Guys,

 

some update on this? I see that WINAGENT-830 ist still not fixed in User-ID Agent 10.0.5 according to Release Notes.

 

Thanks,

Andrey

 

NGFW-Lover

L0 Member

have heard that the bugfix is currently in QA. Its planned to fix this with the next release

L1 Bithead

New agent has been released. Looks like it requires the RODCs to be Server 2019. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZCACA2

Jay, thanks for the info, i will check it with my customer 👌

NGFW-Lover

L1 Bithead

Got feedback from my customer, with new Version thats working like expected. Thanks!

NGFW-Lover

L1 Bithead

I've been running the new version for a couple weeks now without issue on 2019

  • 19158 Views
  • 43 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!