cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1244
Views
5
Helpful
1
Replies

CDA stopped getting mappings after AD patching

captkloss
Level 1
Level 1

Hello, have anyone experienced this? I have patched AD servers over the weekend and ever since then we have lost all the user/ip mappings. I have went over AD settings for the CDA user, all is in order... we have discovered this by accident, because strangely enough WSA works fine (detects identity transparently) even though TUISTATUS shows no mappings....

1 Accepted Solution

Accepted Solutions

Tao Yang
Cisco Employee
Cisco Employee

It is a known issue for now. A recent Microsoft security update has caused issues in several customer environments wherein their domain controllers stop logging these 4768 event IDs.  The offending KBs are listed below:

 

KB4012212 (2008) / KB4012213 (2012)
KB4012215 (2008) / KB4012216 (2012)

As a current workaround, users should be able to uninstall the above mentioned KBs and the 4768 event IDs should resume logging.  As of the date of this initial publication (3/28/2017), we do not yet know of a permanent fix from Microsoft.  There are several threads tracking this issue below:

 

Reddit:

https://www.reddit.com/r/sysadmin/comments/5zs0nc/heads_up_ms_kb4012213_andor_ms_kb4012216_disables/

 

UltimateWindowsSecurity.com:

http://forum.ultimatewindowssecurity.com/Topic7340-276-1.aspx

 

Microsoft TechNet:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/4136ade9-d287-4a42-b5cb-d6042d227e4f/...

View solution in original post

1 Reply 1

Tao Yang
Cisco Employee
Cisco Employee

It is a known issue for now. A recent Microsoft security update has caused issues in several customer environments wherein their domain controllers stop logging these 4768 event IDs.  The offending KBs are listed below:

 

KB4012212 (2008) / KB4012213 (2012)
KB4012215 (2008) / KB4012216 (2012)

As a current workaround, users should be able to uninstall the above mentioned KBs and the 4768 event IDs should resume logging.  As of the date of this initial publication (3/28/2017), we do not yet know of a permanent fix from Microsoft.  There are several threads tracking this issue below:

 

Reddit:

https://www.reddit.com/r/sysadmin/comments/5zs0nc/heads_up_ms_kb4012213_andor_ms_kb4012216_disables/

 

UltimateWindowsSecurity.com:

http://forum.ultimatewindowssecurity.com/Topic7340-276-1.aspx

 

Microsoft TechNet:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/4136ade9-d287-4a42-b5cb-d6042d227e4f/...