Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6175
Views
5
Helpful
5
Replies

ISE 2.7 and AD Windows 2019 activation authentication level

Go to solution
katerina.dardoufa
Level 4
Level 4

‎01-28-2022 04:13 AM

Hello all,

 

after upgrading our Active directory environment from Windows 2012 to Windows 2019 and installing the latest security updates from Microsoft (KB5004442), logs on the DC show the following error regarding the connections from ISE.

The server-side authentication level policy does not allow the user domain\user SID (S-1-5-21-9321468-1570001470-2076119496-113405) from address ISE_ip_address to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

According to Microsoft a temp solution would be to change the registry on the DC. But from June2022 this hardening will be permanent (https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c)

Is there something that can be done on ISE side to fix the problem?

 

Thank you in advance,

Katerina

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎01-28-2022 08:25 AM

 

          - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
5 Replies 5

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎01-28-2022 08:25 AM

 

          - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎01-28-2022 11:07 AM

Is this about ISE-SCCM server integration (external MDM / Desktop Management) ? It’s always been a nightmare to set up the DCOM and registry privileges.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎01-30-2022 01:58 PM

It's affecting the Active Directory as a PassiveID provider via WMI.

Go to solution
lifesouthhd
Level 1
Level 1

‎02-01-2022 10:06 AM

What if you stopped using ISE-PIC and just use Active Identity instead? We have ISE-PIC tied into our AD environment and using PXGRID services for USER to IP mapping for FMC firewall policies to work correctly. Is there a downside to switching over to active identity? And no longer using passive-id?

PassiveVSActive.png
Preview file
294 KB
0 Helpful

Go to solution
katerina.dardoufa
Level 4
Level 4
In response to lifesouthhd

‎02-02-2022 03:58 AM

Hello,

this is an interesting approach... I will have to contact our partner and see what their thoughts are on the matter.

 

Thank you for the suggestion

0 Helpful
Top