In a production environment, CA Access Gateway servers unexpectedly reboots.
Meanwhile, windows lsass.exe process crashes with mini core dump generated.
CA Access Gateway runs NTLM authentication on Java (AdoptOpenJDK) in this instance.
Release : 12.8.05
Component : SITEMINDER SECURE PROXY SERVER
lsass.exe crashed when authenticating a user through NTLM. CA Access Gateway uses NTLM authentication.
Even though Microsoft suspects Access Gateway sends two requests in two threads at the same time, which causes lsass.exe to crash.
There is no full lsass.exe process dump ever collected or logs to support that claim.
SiteMinder Code review shows NTLM request is simple and straight forward that executes under synchronized locks with the handle being used in the right manner.
And keep in mind, the process crashed is Microsoft process, not a SiteMinder process, so only Microsoft has the appropriate tools and library to analyze the lsass.exe dump.
Below is windows event log:
LSASS Crashes Server with 0xc0000409 and Forces Reboot
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000409. The machine must now be restarted.
Log Name: Application
Source: Application Error
Date: 6/27/2022 12:15:38 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: *****
Description:
Faulting application name: lsass.exe, version: 10.0.17763.2686, time stamp: 0xcb5bd01a
Faulting module name: lsasrv.dll, version: 10.0.17763.2867, time stamp: 0x68320141
Exception code: 0xc0000409
Fault offset: 0x000000000007e5c3
Faulting process id: 0x30c
Faulting application start time: 0x01d88a33104102da
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\lsasrv.dll
Report Id: efcdd1c3-f3ed-477c-bce4-cd3a06e31ab4
Faulting package full name:
Faulting package-relative application ID
The Access Gateway servers have not rebooted since the registry entry below was made and recommended by Microsoft.
We found the below resource from Broadcom pointing to the same issue and workaround, but for a different product.
https://knowledge.broadcom.com/external/article/211919/sso-xflowservice-point-crashes-windows-s.html