cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5878
Views
5
Helpful
5
Replies

ISE 2.7 and AD Windows 2019 activation authentication level

Hello all,

 

after upgrading our Active directory environment from Windows 2012 to Windows 2019 and installing the latest security updates from Microsoft (KB5004442), logs on the DC show the following error regarding the connections from ISE.

The server-side authentication level policy does not allow the user domain\user SID (S-1-5-21-9321468-1570001470-2076119496-113405) from address ISE_ip_address to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

According to Microsoft a temp solution would be to change the registry on the DC. But from June2022 this hardening will be permanent (https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c)

Is there something that can be done on ISE side to fix the problem?

 

Thank you in advance,

Katerina

1 Accepted Solution

Accepted Solutions

marce1000
VIP
VIP

 

          - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

5 Replies 5

marce1000
VIP
VIP

 

          - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Peter Koltl
Level 7
Level 7

Is this about ISE-SCCM server integration (external MDM / Desktop Management) ? It’s always been a nightmare to set up the DCOM and registry privileges.

It's affecting the Active Directory as a PassiveID provider via WMI.

lifesouthhd
Level 1
Level 1

What if you stopped using ISE-PIC and just use Active Identity instead? We have ISE-PIC tied into our AD environment and using PXGRID services for USER to IP mapping for FMC firewall policies to work correctly. Is there a downside to switching over to active identity? And no longer using passive-id?

Hello,

this is an interesting approach... I will have to contact our partner and see what their thoughts are on the matter.

 

Thank you for the suggestion