KB Article #181903
Deadlock in LSASS when DV Config Stored on SMB with Kerberos Authentication
Problem
Configuring DV to load a text config from an SMB share that uses Kerberos authentication can cause a deadlock in LSASS.
Resolution
The reason this may happen is that DV needs to load its config in order to validate certificates, but the access to the SMB share on Kerberos will trigger a certificate revocation lookup before DV is able to load. The fix is to ensure that DV loads a config that does not trigger such an access request. For example, you could have DV load a local copy of the config, which you update from the network share. You could then run dvconfig.exe to make DV reload the config file if the copy on the network is newer than the local copy. Because of this local copy, DV would not get deadlocked trying to access the network before it had loaded its config.
For further information on how to configure DV config updates, refer to the chapter entitled "Distributing Desktop Validator configuration updates" in the DV Admin Guide.