Field Notice: FN - 72466 - Identity Services Engine – Passive ID WMI Provider Fails After Windows Server KB500442 Installation - Configuration Change Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.1	10-Apr-23	Updated the Workaround/Solution Section
1.0	18-Aug-22	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	Identity Services Engine System Software	2	2.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.6.0, 2.7.0	For ISE 2.X – all versions
NON-IOS	Identity Services Engine System Software	3	3.0.0, 3.1.0	For ISE 3.X - all versions

Defect Information

Defect ID	Headline
CSCvz97194	WMI Providers Not Working after Windows DCOM Server Hardening for CVE-2021-26414

Problem Description

Cisco Identity Services Engine (ISE) Passive Identity (Passive ID) services that use the Windows Management Instrumentation (WMI) provider will fail after Windows Server KB500442 or later is installed.

Background

The Distributed Component Object Model (DCOM) Remote Protocol is a protocol that is used in communication between the ISE Primary Passive ID node and the Domain Controller that shares the authentication events with ISE. Hardening changes in DCOM through Windows Server KB500442 or later were required to address vulnerability CVE-2021-26414. After the vulnerability is fixed, ISE will lack permissions to fetch the specific Kerberos events that are necessary for Passive ID services when the WMI provider is used.

Problem Symptom

After any Windows Server update that contains the fix for CVE-2021-26414 is installed, Passive ID services that use the WMI provider will fail. The domain controller side will display an error message similar to this:

Next error: “The server-side authentication level policy does not allow the user DOMAIN\username SID (S-X-X-X-X-X-X-X) from address xxx.xxx.xxx.xxx to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application”

Workaround/Solution

In order to resolve this issue, Cisco recommends to migrate Passive ID connections that use the WMI provider to EVT-based PIC Agent. EVT-based PIC Agent is available in ISE Release 3.0 and later.

For instructions on how to configure EVT-based PIC Agent, see Configure EVT-Based Identity Services Engine Passive ID Agent.

Additionally, PIC Agent for ISE 2.7 and earlier will continue to work if installed on a domain controller.

If EasyConnect is in use, ISE needs to be patched to support EasyConnect with PIC Agent. If not patched, ISE only supports EasyConnect with the WMI provider. Contact the Technical Assistance Center (TAC) for hot patches for these releases:

• ISE 3.0 Patch 7
• ISE 3.1 Patch 5
• ISE 3.2 Patch 1

For these releases, EasyConnect with PIC Agent will be supported without the need for hot patches and to contact TAC:

• ISE 3.0 Patch 8
• ISE 3.1 Patch 6
• ISE 3.2 Patch 2
• ISE 3.3

In order to detect EasyConnect use cases, choose Policy > Policy Sets and inspect each authorization policy in each policy set for these conditions:

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.