Access Gateway server reboots while windows lsass.exe process crashes.
search cancel

Access Gateway server reboots while windows lsass.exe process crashes.

book

Article ID: 251299

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

In a production environment, Symantec Access Gateway servers unexpectedly reboots.

Meanwhile, windows lsass.exe process crashes with mini core dump generated.

Symantec Access Gateway runs NTLM authentication on Java.

Environment

Release : 12.8.05 and higher.

Component : SITEMINDER SECURE PROXY SERVER

Cause

lsass.exe crashed when authenticating a user through NTLM. CA Access Gateway uses NTLM authentication.

Even though Microsoft suspects Access Gateway sends two requests in two threads at the same time, which causes lsass.exe to crash.

There is no full lsass.exe process dump ever collected or logs to support that claim.

SiteMinder Code review shows NTLM request is simple and straight forward that executes under synchronized locks with the handle being used in the right manner.

And keep in mind, the process crashed is Microsoft process, not a SiteMinder process, so only Microsoft has the appropriate tools and library to analyze the lsass.exe dump.

Below is windows event log:

LSASS Crashes Server with 0xc0000409 and Forces Reboot
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000409. The machine must now be restarted.
Log Name: Application
Source: Application Error
Date: 6/27/2022 12:15:38 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: *****
Description:
Faulting application name: lsass.exe, version: 10.0.17763.2686, time stamp: 0xcb5bd01a
Faulting module name: lsasrv.dll, version: 10.0.17763.2867, time stamp: 0x68320141
Exception code: 0xc0000409
Fault offset: 0x000000000007e5c3
Faulting process id: 0x30c
Faulting application start time: 0x01d88a33104102da
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\lsasrv.dll
Report Id: efcdd1c3-f3ed-477c-bce4-cd3a06e31ab4
Faulting package full name:
Faulting package-relative application ID

Resolution

The Access Gateway servers have not rebooted since the registry entry below was made and recommended by Microsoft.

Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Setting: TrackLoopbackForSession
Type: DWORD
Value: 0

We found the below resource from Broadcom pointing to the same issue and workaround, but for a different product.

https://knowledge.broadcom.com/external/article/211919/sso-xflowservice-point-crashes-windows-s.html

 

Additional Information

DE543261
 
Generate a Full Crash-Dump on Windows
https://knowledge.broadcom.com/external/article?articleId=236059
Powered by Wolken Software