https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4541418#M572454 <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - FYI :&nbsp;<A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194</A></P> <P>&nbsp;M.</P> Fri, 28 Jan 2022 16:25:46 GMT Mark Elsen 2022-01-28T16:25:46Z https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4541256#M572445 <P>Hello all,</P><P>&nbsp;</P><P>after upgrading our Active directory environment from Windows 2012 to Windows 2019 and installing the latest security updates from Microsoft (KB5004442), logs on the DC show the following error regarding the connections from ISE.</P><P><STRONG>The server-side authentication level policy does not allow the user <EM>domain</EM>\user SID (S-1-5-21-9321468-1570001470-2076119496-113405) from address&nbsp;<EM>ISE_ip_address</EM> to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.</STRONG></P><P>According to Microsoft a temp solution would be to change the registry on the DC. But from June2022 this hardening will be permanent (<A title="Microsoft article" href="https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c" target="_blank" rel="noopener">https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c</A>)</P><P>Is there something that can be done on ISE side to fix the problem?</P><P>&nbsp;</P><P>Thank you in advance,</P><P>Katerina</P> Fri, 28 Jan 2022 12:13:08 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4541256#M572445 katerina.dardoufa 2022-01-28T12:13:08Z https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4541418#M572454 <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - FYI :&nbsp;<A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194</A></P> <P>&nbsp;M.</P> Fri, 28 Jan 2022 16:25:46 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4541418#M572454 Mark Elsen 2022-01-28T16:25:46Z https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4541538#M572459 <P>Is this about ISE-SCCM server integration (external MDM / Desktop Management) ? It’s always been a nightmare to set up the DCOM and registry privileges.</P> Fri, 28 Jan 2022 19:07:31 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4541538#M572459 Peter Koltl 2022-01-28T19:07:31Z https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4542412#M572500 <P>It's affecting the Active Directory as a PassiveID provider via WMI.</P> Sun, 30 Jan 2022 21:58:15 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4542412#M572500 hslai 2022-01-30T21:58:15Z https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4543592#M572543 <P><SPAN>What if you stopped using ISE-PIC and just use Active Identity instead? We have ISE-PIC tied into our AD environment and using PXGRID services for USER to IP mapping for FMC firewall policies to work correctly. Is there a downside to switching over to active identity? And no longer using passive-id?</SPAN></P> Tue, 01 Feb 2022 18:06:58 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4543592#M572543 lifesouthhd 2022-02-01T18:06:58Z https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4543999#M572559 <P>Hello,</P><P>this is an interesting approach... I will have to contact our partner and see what their thoughts are on the matter.</P><P>&nbsp;</P><P>Thank you for the suggestion <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 02 Feb 2022 11:58:42 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-and-ad-windows-2019-activation-authentication-level/m-p/4543999#M572559 katerina.dardoufa 2022-02-02T11:58:42Z