Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
This KB article documents the impact on functionality of Horizon 7.x and Horizon 8.x., after applying the Microsoft security update KB5008380—Authentication updates (CVE-2021-42287) on domain controllers.
The observations were different during different phases of deployment. Please refer to the KB article Microsoft security update KB5008380—Authentication updates (CVE-2021-42287) for the definition of phases.In summary, except for seeing multiple harmless warning events during the “Initial Deployment Phase” and a single harmless error event during the “Enforcement Phase” for each Horizon component, there is no impact on Horizon functionality. Initial deployment phase The initial deployment phase starts with the Windows update released on November 9, 2021. Testing with PacRequestorEnforcement=1. In this phase, the Microsoft security update, by default sets the value of PacRequestorEnforcement to 1No impact on Horizon functionality was observedWarning events with event id = 37 will be seen on the domain controller for each Horizon component interacting with the domain controller. The warning event will repeat every hour, till a new Kerberos TGT is issued. A new Kerberos TGT is issued depending on the value for GPO setting “Maximum lifetime for user ticket renewal”, the default value is 7 days. These warning messages are harmless and do not cause any issue in the functionality of Horizon. The location of the GPO setting “Maximum lifetime for user ticket renewal” is “Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy”. Microsoft link for GPO setting Note - No testing was done with PacRequestorEnforcement=0. The Microsoft KB article recommends not setting the value to 0 as it leaves the system vulnerable. Second deployment phase The second deployment phase starts with the Windows update to be released on April 12, 2022. This phase removes the PacRequestorEnforcement setting of 0 and enforces the PacRequestorEnforcement value to be 1In terms of impact on Horizon functionality, this phase is the same as the "Initial deployment phase" (see the previous section) i.e. No impact on Horizon functionality was observed and warning events with event id = 37 will be seen. Enforcement phase The July 12, 2022 release will transition all Active Directory domain controllers into the Enforcement phase. Testing with PacRequestorEnforcement=2For customers who have followed Microsoft’s recommendation to enable Enforcement mode on all Active Directory domain controllers by manually setting PacRequestorEnforcement=2No impact on Horizon functionality was observedA single error event with event id = 37 will be seen on the domain controller for each Horizon component interacting with the domain controller Notes Horizon Components interacting with the domain controller The list of Horizon components interacting with domain controller is as follows – The connection server (each instance)Enrolment ServerComposer server (applicable only to Horizon 7.x and Horizon 8 versions prior to 8.1)