User identification and WinRM on HTTP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User identification and WinRM on HTTP

L1 Bithead

Hi to all, before to write i red some post here on the community and i just configured my NGFW and windows domain controllers.

Becuase i have every 3 sec an alert about "The server-side authentication level policy does not allow the user AAA\BBB SID (XXX) from address Y.Y.Y.Y activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application." i modified the server monitoring setting changing from WMI to WinRM-HTTP.

On the firewall interface i have all the domain controllers in connected status and, looking on monitor logs, i can see users id.

 

The problem is that on Event Viewer of domain controllers keep to see the error.

 

Please someone can help me?

 

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @ConfindustriaBG ,

 

It appears that you are running into this problem -> https://docs.microsoft.com/en-us/answers/questions/564347/server-2019-update-kb5005568-sept-2021-for....  Notice that this thread said that the registry changes specified here -> https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-... do not work.  The security feature seems to have been implemented prematurely before the fix.

 

I had 1 client face this issue, and I recommended the Windows agent instead of agentless User-ID.  We have not tested it yet, but it makes sense it will fix the annoying logs.

 

Thanks,

 

Tom

 

Edit:  So you are getting the same error with WinRM?  I guess changing the protocol is not a fix.

 

Edit 2:  Backing out update KB5005568 could also be a fix if allowed by the security team.

 

Edit 3:  The registry change works after June 14, 2022 as specified in the KB.  This feature will be removed at March 14, 2023.  So will be the ability to back out the update.

Help the community: Like helpful comments and mark solutions.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

are you able to try WinRM-HTTPS ?

Tom Piens
PANgurus - (co)managed services and consultancy

Hi Reaper, thank you for your reply.

I have to understand how to manage certs on domain controllers.

PAN-OS Administrator’s Guide explain how to obtain cert thumb but using only one server.

 

Another thing is that the guide say

"WinRM with Kerberos supports the aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 ciphers. If the server you want to monitor uses RC4, you must download the Windows update and disable RC4 for Kerberos in the registry settings of the server you want to monitor."

 

Reading on internet, is not suggested to disable RC4 for Kerberos because could be some problems with clients.

However NGFW is working fine. The problem is only the event viewer of domain controllers.

 

I'll try to understand how to manage the certs.

 

Thank you

Cyber Elite
Cyber Elite

Hi @ConfindustriaBG ,

 

It appears that you are running into this problem -> https://docs.microsoft.com/en-us/answers/questions/564347/server-2019-update-kb5005568-sept-2021-for....  Notice that this thread said that the registry changes specified here -> https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-... do not work.  The security feature seems to have been implemented prematurely before the fix.

 

I had 1 client face this issue, and I recommended the Windows agent instead of agentless User-ID.  We have not tested it yet, but it makes sense it will fix the annoying logs.

 

Thanks,

 

Tom

 

Edit:  So you are getting the same error with WinRM?  I guess changing the protocol is not a fix.

 

Edit 2:  Backing out update KB5005568 could also be a fix if allowed by the security team.

 

Edit 3:  The registry change works after June 14, 2022 as specified in the KB.  This feature will be removed at March 14, 2023.  So will be the ability to back out the update.

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi @TomYoung , thank you for your reply.

I'll try to install the agent on one of the Domain Controller and I'll let you know.

 

Ciao,

 

Marco

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!