Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
5
Helpful
1
Replies

CDA stopped getting mappings after AD patching

Go to solution
captkloss
Level 1
Level 1

‎03-28-2017 03:01 PM

Hello, have anyone experienced this? I have patched AD servers over the weekend and ever since then we have lost all the user/ip mappings. I have went over AD settings for the CDA user, all is in order... we have discovered this by accident, because strangely enough WSA works fine (detects identity transparently) even though TUISTATUS shows no mappings....

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tao Yang
Cisco Employee
Cisco Employee

‎03-28-2017 11:21 PM

It is a known issue for now. A recent Microsoft security update has caused issues in several customer environments wherein their domain controllers stop logging these 4768 event IDs.  The offending KBs are listed below:

 

KB4012212 (2008) / KB4012213 (2012)
KB4012215 (2008) / KB4012216 (2012)

As a current workaround, users should be able to uninstall the above mentioned KBs and the 4768 event IDs should resume logging.  As of the date of this initial publication (3/28/2017), we do not yet know of a permanent fix from Microsoft.  There are several threads tracking this issue below:

 

Reddit:

https://www.reddit.com/r/sysadmin/comments/5zs0nc/heads_up_ms_kb4012213_andor_ms_kb4012216_disables/

 

UltimateWindowsSecurity.com:

http://forum.ultimatewindowssecurity.com/Topic7340-276-1.aspx

 

Microsoft TechNet:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/4136ade9-d287-4a42-b5cb-d6042d227e4f/...

View solution in original post

1 Reply 1

Go to solution
Tao Yang
Cisco Employee
Cisco Employee

‎03-28-2017 11:21 PM

It is a known issue for now. A recent Microsoft security update has caused issues in several customer environments wherein their domain controllers stop logging these 4768 event IDs.  The offending KBs are listed below:

 

KB4012212 (2008) / KB4012213 (2012)
KB4012215 (2008) / KB4012216 (2012)

As a current workaround, users should be able to uninstall the above mentioned KBs and the 4768 event IDs should resume logging.  As of the date of this initial publication (3/28/2017), we do not yet know of a permanent fix from Microsoft.  There are several threads tracking this issue below:

 

Reddit:

https://www.reddit.com/r/sysadmin/comments/5zs0nc/heads_up_ms_kb4012213_andor_ms_kb4012216_disables/

 

UltimateWindowsSecurity.com:

http://forum.ultimatewindowssecurity.com/Topic7340-276-1.aspx

 

Microsoft TechNet:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/4136ade9-d287-4a42-b5cb-d6042d227e4f/...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents