04-21-2022 07:19 AM
Hi to all, before to write i red some post here on the community and i just configured my NGFW and windows domain controllers.
Becuase i have every 3 sec an alert about "The server-side authentication level policy does not allow the user AAA\BBB SID (XXX) from address Y.Y.Y.Y activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application." i modified the server monitoring setting changing from WMI to WinRM-HTTP.
On the firewall interface i have all the domain controllers in connected status and, looking on monitor logs, i can see users id.
The problem is that on Event Viewer of domain controllers keep to see the error.
Please someone can help me?
Thank you
04-22-2022 09:14 AM - edited 08-16-2022 11:25 AM
Hi @ConfindustriaBG ,
It appears that you are running into this problem -> https://docs.microsoft.com/en-us/answers/questions/564347/server-2019-update-kb5005568-sept-2021-for.... Notice that this thread said that the registry changes specified here -> https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-... do not work. The security feature seems to have been implemented prematurely before the fix.
I had 1 client face this issue, and I recommended the Windows agent instead of agentless User-ID. We have not tested it yet, but it makes sense it will fix the annoying logs.
Thanks,
Tom
Edit: So you are getting the same error with WinRM? I guess changing the protocol is not a fix.
Edit 2: Backing out update KB5005568 could also be a fix if allowed by the security team.
Edit 3: The registry change works after June 14, 2022 as specified in the KB. This feature will be removed at March 14, 2023. So will be the ability to back out the update.
04-22-2022 05:41 AM
are you able to try WinRM-HTTPS ?
04-22-2022 06:43 AM
Hi Reaper, thank you for your reply.
I have to understand how to manage certs on domain controllers.
PAN-OS Administrator’s Guide explain how to obtain cert thumb but using only one server.
Another thing is that the guide say
"WinRM with Kerberos supports the aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 ciphers. If the server you want to monitor uses RC4, you must download the Windows update and disable RC4 for Kerberos in the registry settings of the server you want to monitor."
Reading on internet, is not suggested to disable RC4 for Kerberos because could be some problems with clients.
However NGFW is working fine. The problem is only the event viewer of domain controllers.
I'll try to understand how to manage the certs.
Thank you
04-22-2022 09:14 AM - edited 08-16-2022 11:25 AM
Hi @ConfindustriaBG ,
It appears that you are running into this problem -> https://docs.microsoft.com/en-us/answers/questions/564347/server-2019-update-kb5005568-sept-2021-for.... Notice that this thread said that the registry changes specified here -> https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-... do not work. The security feature seems to have been implemented prematurely before the fix.
I had 1 client face this issue, and I recommended the Windows agent instead of agentless User-ID. We have not tested it yet, but it makes sense it will fix the annoying logs.
Thanks,
Tom
Edit: So you are getting the same error with WinRM? I guess changing the protocol is not a fix.
Edit 2: Backing out update KB5005568 could also be a fix if allowed by the security team.
Edit 3: The registry change works after June 14, 2022 as specified in the KB. This feature will be removed at March 14, 2023. So will be the ability to back out the update.
04-26-2022 01:45 AM
Hi @TomYoung , thank you for your reply.
I'll try to install the agent on one of the Domain Controller and I'll let you know.
Ciao,
Marco
04-26-2022 11:54 PM
Hello @TomYoung, just installed ID Agent. Now the log of domain controllers is clean!.
Thanks and have a nice day!
Ciao
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
