topic Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568 in Network Access Control

ISE-PIC WMI failing on Windows Server 2019 with KB5005568

hendrikfuest — Wed, 03 Nov 2021 09:54:44 GMT

Hello,

ISE 2.7p5
Windows 2019

I recently implemented ISE-PIC using WMI at a customer.
In the setup process we noticed error events (10036 [Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application]) on the Domain Controller. After searching for the cause and finding a similar problem, we removed KB5005568 (workarounds did not help) from the Domain Controllers and were able to get WMI and ISE-PIC running.

It seems like Microsoft changed something regarding DCOM in KB5004442 and enforced it prematurely in KB5005568.

The customer is now asking when they can reapply the Windows updates? Is ISE-PIC going to fail again?

example ISE WMI Log:
2021-10-14 09:20:50,657 ERROR [PassiveID-WMI-InitConnection][] com.cisco.idc.dc-probe- Error reading NetBios: Access is denied, please check whether the [domain-username-password] are correct. Also, if not already done please check the GETTING STARTED and FAQ sections in readme.htm. They provide information on how to correctly configure the Windows machine for DCOM access, so as to avoid such exceptions. [0x00000005]{Identity Mapping.wmi-class=Win32_NTDomain, Identity Mapping.dc-domainname=<domain>, Identity Mapping.dc-name=<dc-fqdn>, Identity Mapping.dc-host=<dc-fqdn>/<dc-ip>, Identity Mapping.wmi-property=DomainName}

Anyone else ran into this problem?

Thanks,
Hendrik

Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568

Greg Gibbs — Wed, 03 Nov 2021 21:42:00 GMT

An enhancement bug has been filed for using Kerberos instead of NTLM for Passive ID. Until that is possible, this MS security patch will likely need to be removed.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194

ISE-PIC 3.1 supports using MSRPC instead of WMI for Passive ID. You could try testing with it in a lab, but I believe MSRPC is still NTLM-based, so it may also fail.

Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568

hendrikfuest — Thu, 04 Nov 2021 08:13:37 GMT

Thanks for the answer. 🙂

Guess we will wait then.

Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568

lifesouthhd — Tue, 01 Feb 2022 17:00:43 GMT

What if you stopped using ISE-PIC and just use Active Identity instead? We have ISE-PIC tied into our AD environment and using PXGRID services for USER to IP mapping for FMC firewall policies to work correctly. Is there a downside to switching over to active identity?

Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568

RomanMikes95774 — Mon, 08 Aug 2022 14:49:38 GMT

Is there any resolution or workaround on this. The date when the MS patch will not be able to deactivate is approaching (03/2023). Since then PassiveID/WMI stops working. Any comment appreciated.

Thanks Roman

Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568

RomanMikes95774 — Thu, 23 Feb 2023 16:04:39 GMT

MS-RPC agent solves the issue. It doesn't require the DCOM privilages like the WMI access does.

Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568

Charlie Moreton — Thu, 23 Feb 2023 17:16:46 GMT

Resurrecting a 2-year old thread that has an accepted solution limits the number of people that will take a look at it. The best thing to do is to start a new thread.

Check out this article to solve the issue

Configure EVT-Based Identity Services Engine Passive ID Agent

Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568

evan.leipold — Wed, 22 Mar 2023 00:15:52 GMT

lol, so Cisco has gone back to needing an agent installed on the dc, we've gone full circle!

Why didnt you guys just implement WinRM over HTTPS like Palo and call it a day?

Cisco really does love making things harder than they need to be.