I've been tasked by an MSP to update a customer's Kerberos password after it hadn't been changed in over 14 years, following a security recommendation. I double-checked domain controller replication for errors and changed the password. However, the next day, the customer reported strange issues with their Citrix environment, such as application crashes, Chrome not working, and log-off problems.
After the password change, I looked for Kerberos authentication errors and found nothing. To address potential security risks like the golden ticket attack, I ended up changing the password a second time. Despite all this, the issues with the Citrix environment persist. The customer is using an older but stable version of FSLogix with Ivanti Workspace Manager on Windows Server 2022, and it seems that the problems only arise when using FSLogix profiles.
I've initiated a klist purge and rebooted the domain controllers, confirming the key version changed successfully. I can't rule out if the password change could be linked to the crashing applications, especially since no logged errors point to a clear issue. I'd love to hear your thoughts and suggestions on how I might investigate this further. Thanks!
5 Answers
What version of Windows Server are your domain controllers running? Just checking if it's also Server 2022 could help clarify compatibility issues.
From my experience, rotating the Kerberos service account password shouldn’t cause the issues you’re seeing with those applications. I've done these changes many times in various environments without running into problems, unless the environment is still using older Kerberos encryption types like DES. Have you checked if that's the case?
That’s interesting. We’re currently in the dark here. We’ve even filed sev1 cases with Citrix but still have no real indicators. It's puzzling that a simple password change is the only noticeable change that led to these issues.
Have you tried posting logs that show the "strange behavior"? It might help you find clues or patterns that can lead to a solution. But judging by what you've said, it seems like you've already checked for logs without much luck.
I understand, though! It's frustrating when you can't find any clear logs that indicate a problem. Maybe try increasing the FSLogix debugging to level 5 if you haven’t, just to see if that brings anything up.
Did you change the passwords for any other service accounts? It's possible that some user or service accounts still have RC4 hashes, which could be causing compatibility problems. You might want to run the Microsoft check-11b issues script to see if there are any affected accounts.
That’s a good point! I fell into a similar situation once and it kept me scratching my head for days.
Is there any reason you're sticking with the older version of FSLogix? Sometimes, updating to a more recent version can resolve odd issues since they often include bug fixes. Just a thought!
Also, you could consider creating new VHDX files for the users. It might help resolve some of the FSLogix-related issues.
The previous engineer mentioned they encountered issues when upgrading FSLogix, mainly with OneDrive sync in Citrix, which is why they decided to stay on a version that works.
They are running on Windows Server 2022 Standard as well, and the domain functional level is set to 2012R2.