Solved: Re: ISE-PIC WMI failing on Windows Server 2019 with KB5005568

hendrikfuest · ‎11-03-2021

Hello,

ISE 2.7p5
Windows 2019

I recently implemented ISE-PIC using WMI at a customer.
In the setup process we noticed error events (10036 [Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application]) on the Domain Controller. After searching for the cause and finding a similar problem, we removed KB5005568 (workarounds did not help) from the Domain Controllers and were able to get WMI and ISE-PIC running.

It seems like Microsoft changed something regarding DCOM in KB5004442 and enforced it prematurely in KB5005568.

The customer is now asking when they can reapply the Windows updates? Is ISE-PIC going to fail again?

example ISE WMI Log:
2021-10-14 09:20:50,657 ERROR [PassiveID-WMI-InitConnection][] com.cisco.idc.dc-probe- Error reading NetBios: Access is denied, please check whether the [domain-username-password] are correct. Also, if not already done please check the GETTING STARTED and FAQ sections in readme.htm. They provide information on how to correctly configure the Windows machine for DCOM access, so as to avoid such exceptions. [0x00000005]{Identity Mapping.wmi-class=Win32_NTDomain, Identity Mapping.dc-domainname=<domain>, Identity Mapping.dc-name=<dc-fqdn>, Identity Mapping.dc-host=<dc-fqdn>/<dc-ip>, Identity Mapping.wmi-property=DomainName}

Anyone else ran into this problem?

Thanks,
Hendrik

Greg Gibbs · ‎11-03-2021

An enhancement bug has been filed for using Kerberos instead of NTLM for Passive ID. Until that is possible, this MS security patch will likely need to be removed.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194

ISE-PIC 3.1 supports using MSRPC instead of WMI for Passive ID. You could try testing with it in a lab, but I believe MSRPC is still NTLM-based, so it may also fail.

View solution in original post

Greg Gibbs · ‎11-03-2021

An enhancement bug has been filed for using Kerberos instead of NTLM for Passive ID. Until that is possible, this MS security patch will likely need to be removed.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz97194

ISE-PIC 3.1 supports using MSRPC instead of WMI for Passive ID. You could try testing with it in a lab, but I believe MSRPC is still NTLM-based, so it may also fail.

hendrikfuest · ‎11-04-2021

Thanks for the answer.

Guess we will wait then.

lifesouthhd · ‎02-01-2022

What if you stopped using ISE-PIC and just use Active Identity instead? We have ISE-PIC tied into our AD environment and using PXGRID services for USER to IP mapping for FMC firewall policies to work correctly. Is there a downside to switching over to active identity?

RomanMikes95774 · ‎08-08-2022

Is there any resolution or workaround on this. The date when the MS patch will not be able to deactivate is approaching (03/2023). Since then PassiveID/WMI stops working. Any comment appreciated.

Thanks Roman

RomanMikes95774 · ‎02-23-2023

MS-RPC agent solves the issue. It doesn't require the DCOM privilages like the WMI access does.

Charlie Moreton · ‎02-23-2023

Resurrecting a 2-year old thread that has an accepted solution limits the number of people that will take a look at it. The best thing to do is to start a new thread.

Check out this article to solve the issue

Configure EVT-Based Identity Services Engine Passive ID Agent

evan.leipold · ‎03-21-2023

lol, so Cisco has gone back to needing an agent installed on the dc, we've gone full circle!

Why didnt you guys just implement WinRM over HTTPS like Palo and call it a day?

Cisco really does love making things harder than they need to be.