Field Notice: FN72466 - Identity Services Engine – Passive ID WMI Provider Fails After Windows Server KB500442 Installation - Configuration Change Recommended

Available Languages

Updated:December 12, 2023

Document ID:FN72466

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Affected Software Product	Affected Release	Affected Release Number	Comments
Identity Services Engine System Software	2	2.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.6.0, 2.7.0	2.0: For ISE 2.X – all versions 2.0.1: For ISE 2.X – all versions 2.1.0: For ISE 2.X – all versions 2.2.0: For ISE 2.X – all versions 2.3.0: For ISE 2.X – all versions 2.4.0: For ISE 2.X – all versions 2.6.0: For ISE 2.X – all versions 2.7.0: For ISE 2.X – all versions
Identity Services Engine System Software	3	3.0.0, 3.1.0	3.0.0: For ISE 3.X - all versions 3.1.0: For ISE 3.X - all versions

Defect Information

Defect ID	Headline
CSCvz97194	WMI Providers Not Working after Windows DCOM Server Hardening for CVE-2021-26414

Problem Description

Cisco Identity Services Engine (ISE) Passive Identity (Passive ID) services that use the Windows Management Instrumentation (WMI) provider will fail after Windows Server KB500442 or later is installed.

Background

The Distributed Component Object Model (DCOM) Remote Protocol is a protocol that is used in communication between the ISE Primary Passive ID node and the Domain Controller that shares the authentication events with Cisco ISE. Hardening changes in DCOM through Windows Server KB500442 or later were required to address vulnerability CVE-2021-26414. After the vulnerability is fixed, Cisco ISE will lack permissions to fetch the specific Kerberos events that are necessary for Passive ID services when the WMI provider is used.

Problem Symptom

After any Windows Server update that contains the fix for CVE-2021-26414 is installed, Passive ID services that use the WMI provider will fail. The domain controller side will display an error message similar to this:

Next error: “The server-side authentication level policy does not allow the user DOMAIN\username SID (S-X-X-X-X-X-X-X) from address xxx.xxx.xxx.xxx to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application”

Workaround/Solution

In order to resolve this issue, Cisco recommends to migrate Passive ID connections that use the WMI provider to EVT-based PIC Agent. EVT-based PIC Agent is available in Cisco ISE Release 3.0 and later.

For instructions on how to configure EVT-based PIC Agent, see Configure EVT-Based Identity Services Engine Passive ID Agent.

Additionally, PIC Agent for Cisco ISE 2.7 and earlier will continue to work if installed on a domain controller.

If EasyConnect is in use, Cisco ISE needs to be patched to one of the following releases to support EasyConnect with PIC Agent. If not patched, Cisco ISE only supports EasyConnect with the WMI provider.

ISE 3.0 Patch 8
ISE 3.1 Patch 6
ISE 3.2 Patch 2
ISE 3.3

In order to detect EasyConnect use cases, choose Policy > Policy Sets and inspect each authorization policy in each policy set for these conditions:

Revision History

Version	Description	Section	Date
1.2	Updated the Workaround/Solution section.	Workaround/Solution	2023-DEC-12
1.1	Updated the Workaround/Solution section.	Workaround/Solution	2023-APR-10
1.0	Initial Release	—	2022-AUG-18

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Identity Services Engine Software