server 2025 causing lsass reboot after windows hello 4 business logon
Posted by tecxxtc@reddit | sysadmin | View on Reddit | 14 comments
Hello and happy 2025,
we have upgraded both domain controllers to server 2025 (fresh install). now windows 10 clients can no longer logon with face/touch/pin (wh4b), getting message "your credentials could not be verified". the power down button no longer works, and after 60 seconds the system automatically reboots. smells like lsass.exe issue.
on the domain controller we get this error:
An account failed to log on.
Subject:
Security ID:SYSTEM
Account Name:SRV001$
Account Domain:REMOVED
Logon ID:0x3E7
Logon Type:3
Account For Which Logon Failed:
Security ID:NULL SID
Account Name:
Account Domain:-
Failure Information:
Failure Reason:An Error occured during Logon.
Status:0xC0000001
Sub Status:0x0
Process Information:
Caller Process ID:0x36c
Caller Process Name:C:\Windows\System32\lsass.exe
Network Information:
Workstation Name:SRV001
Source Network Address:-
Source Port:-
Detailed Authentication Information:
Logon Process:Authz
Authentication Package:Kerberos
Transited Services:-
Package Name (NTLM only):-
Key Length:0
all available latest patches are installed. we narrowed this down to server 2025 by restoring one DC back to 2022, while keeping the other offline. problem gone.
anyone else experiencing this?
c3141rd@reddit
We had this issue with Server 2025. Never found a fix. Between this, machine passwords failing to reset causing people to not be able to login, and the broken firewall profiles, it's clear that Server 2025 is unusable at this point in the domain controller role.
SteveSyfuhs@reddit
LSASS is crashing, although it's a bit strange that it would care about the DC at all. Just to be clear you're saying the client fails an interactive logon, then 60 seconds later the client crashes? The only thing on the DC you see is the event log error?
What does the application or system log say about the LSASS crash? Should be an error code at least.
In any case, check the password expiration of one of the offending users and see if they're in a N-7 days window.
tecxxtc@reddit (OP)
the DC is reporting "An account failed to log on" in eventlog twice, but does not crash.
the client is reporting event id 5000 "The security package Kerberos generated an exception. The exception information is the data", followed by event id 6008 "The previous system shutdown at 14:11:46 on 12.01.2025 was unexpected." and after 60 seconds reboots.
i also found this:
users are not in a password expiration window. i was just informed by my team that this happens to all users on all systems, who use wh4b. not just windows10, as i expected earlier, it also happens on windows 11.
can i provide more info / debug data?
SteveSyfuhs@reddit
Team is investigating. We have a theory.
paramspdotcom@reddit
Is it possible maybe the gpo allowing for windows hello logins to the domain is disabled by default?
tecxxtc@reddit (OP)
unless there is a specific new policy for DCs that i am not aware of, no. clients are unchanged and wh4b worked for over a year. only change was updating DCs to 2025.
Burning_Eddie@reddit
Thanks for beta testing for us.
tecxxtc@reddit (OP)
you're welcome, we're actually doing this on purpose because we "beta test" for our own customers ;)
Elmofuntz@reddit
I came to say this, you beat me too it.
Dangerous-Tackle4954@reddit
Have you check at the client event logs? there are some specific events from WHfB.
tecxxtc@reddit (OP)
good point. but only success / information messages, like "The Primary Account Primary Refresh Token prerequisite check completed successfully.", "The device registration prerequisite check completed successfully.", "Windows Hello for Business is enabled.". no errors.
Disastrous-Cow7354@reddit
Lsass reboot is something from 2001
tecxxtc@reddit (OP)
tecxxtc@reddit (OP)
and yet, it happens. found "event id 5000 LSA" on the client, "The security package Kerberos generated an exception. The exception information is the data.", followed by event id 6008 "The previous system shutdown at 14:11:46 on 12.01.2025 was unexpected." lsass reboot, it is.