Error connecting to PVS Farm with Credentials from trusted domain using Selective Trust
Article ID: CTX472962
Updated On:
Description
- When connecting to the PVS Farm "localhost" with credentials from a trusted domain, an error is thrown that reads:
"Error Domain Controller" and "unable to connect to the domain Controller (if any) or the default rootDSE. Error code: 60075030, message: Access is denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), provider: .
- PVS and admin accounts are in separate forests with two-way transitive trust using Selective Trust (versus Domain-Wide trust).
- Patch KB5010351 is installed on PVS server. Any server that is fully patched as of February 2022 will have this patch.
- The LSA Event ID 40970, which is a warning, will appear in the System Event log of the PVS server. This event reads
"The Security System has detected a downgrade attempt when contacting the 3-part SPN <<SPN>> with the error code "The SAM database on the Windows Server does not have a computer account for this workstation trust relationship. (0xc000018b)". Authentication was denied."
Environment
Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Resolution
Add the following to the registry of the PVS server. Reboot after making the change.
**See IMPORTANT SECURITY NOTE BELOW about the workaround.**
-----------------------------------
IMPORTANT NOTE: By adding the registry key "SpnDowngradeProtection" with value 0, the mitigation provided by Microsoft in KB5011233 is reversed. You should understand the vulnerability explained in CVE-2022-21920.
-----------------------------------
**See IMPORTANT SECURITY NOTE BELOW about the workaround.**
Location: HKLM\SYSTEM\CurrentControlSet\Control\LSA
Reg_DWORD = SpnDowngradeProtection
Value = 0
Reg_DWORD = SpnDowngradeProtection
Value = 0
-----------------------------------
IMPORTANT NOTE: By adding the registry key "SpnDowngradeProtection" with value 0, the mitigation provided by Microsoft in KB5011233 is reversed. You should understand the vulnerability explained in CVE-2022-21920.
-----------------------------------
Problem Cause
Microsoft protections for CVE-2022-21920 (MS KB5011233) is blocking NTLM authentications from the trusted domain.
Additional Information
This article details KB5011233 and names the vulnerability that is mitigated by the patch:
https://support.microsoft.com/en-us/topic/kb5011233-protections-in-cve-2022-21920-may-block-ntlm-authentication-if-kerberos-authentication-is-not-successful-dd415f99-a30c-4664-ba37-83d33fb071f4
Description of CVE-2022-21920 is here: https://nvd.nist.gov/vuln/detail/CVE-2022-21920
https://support.microsoft.com/en-us/topic/kb5011233-protections-in-cve-2022-21920-may-block-ntlm-authentication-if-kerberos-authentication-is-not-successful-dd415f99-a30c-4664-ba37-83d33fb071f4
Description of CVE-2022-21920 is here: https://nvd.nist.gov/vuln/detail/CVE-2022-21920
Was this article helpful?
Yes
No
Powered by
