Server 2019 update KB5005568 (Sept 2021) forcing new DCOM authentication prematurely

Chuck Badeau 41

Hi,
We recent applied KB5005568 (Sept 21 update) to one of our Server 2019 DCs. After applying, we started receiving many DCOM error events 10036 (Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application) for a user id function on our Palo Alto FW (It uses a service account to resolve user identification from AD). Having read up on Microsoft's transition to a minimum of Packet Integrity for DCOM authentication (see June's KB5004442 and the DCOM issue described in CVE-2021-26414), it would appear that, at least in Server 2019, this feature has been enabled prematurely (Supposed to be Q1 2022 based on the timeline in the KB5004442) and the described reg entry to temporarily bypass the DCOM update does not work (it is supposed to be valid all of 2022 after the feature is enabled).

Our only solution has been to roll back the patch on our DC. I found one reference to someone else encountering the same. They have mixed OS's for DCs and are only seeing the issue on 2019 (https://www.reddit.com/r/paloaltonetworks/comments/pl5dm7/new_2019_dc_event_log_messages_from_panos_userid/).

Is anyone else seeing this behavior with the pending DCOM update?

First time posting here and really just trying to see if this is on MS's radar at all.

Thanks,
Chuck

Adams, Bill 6 Reputation points

2021-09-28T02:31:26.71+00:00

Same issue - Verified that we did install the KB5005112 on 8/19/21 - did not begin to see errors until application of KB5005568 on 9/26/21. began to see the errors shortly after the 2am application (2:00:52)- Errors are now continuous. Still no resolve that I have found other than rollback - ANYBODY find anything?
sabasigh 6 Reputation points

2021-10-01T12:47:07.193+00:00

Having the same issue on 2019DC's when we are querying WMI for events (errors/warnings) nightly. We get the error but the Powershell script that runs from a remote server is still able to pull the events. And so far no other clients appear to be creating this error when talking to the DC's
SimSama 11 Reputation points

2021-10-04T23:53:58.437+00:00

The fix related to this didn't work?

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel set to 0x00000000 and Reboot server.

The other is go to dcomcnfg, My Computer -> Properties -> Default Properties --- Reverse of what others said, set Default Authentication Level to Connect, and Default Impersonation Level to Identify.

Also go to COM Security, Edit Limits on both options, make sure user is manually added to local and remote access, local launch, remote launch etc.

Give those a go and see if any stick?
Peter Attwood 1 Reputation point

2021-10-05T06:33:10.187+00:00

Also my first time here. Have the same issue on a 2019 DC which is replacing an SBS 2011 DC which is causing the error - The server-side authentication level policy does not allow the user (sbs user) from address SBS 2011 address to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
10036 Error Microsoft-Windows-DistributedCOM
Tried the various suggestions but nothing gets rid of this. Does anyone know how to solve it? I pland to remove the sbs 2011 from the domain but wanted to get my new server error free first.
MJ Coronel 1 Reputation point

2021-10-08T01:11:07.897+00:00

This update KB5005568 also broke WMI Polling method in our monitoring. (SolarWinds)
WMI Polling fails all the time and we are getting"RPC server is unavailable" when testing WMI connectivity using wbemtest. Uninstalling the update resolved the issue, but we'd like to have the update installed without getting any WMI polling issues at all. Does anyone have this resolved from their end, can you share us what steps were taken to fix it? It would be greatly appreciated.

Keep safe everyone!
Talal Al-Mazrui 1 Reputation point

2021-10-09T18:56:57.77+00:00

Anyone had any luck with this so far? Getting the same as OP (Palo alto service account).
Micael Carlsson 1 Reputation point

2021-10-17T12:30:44.36+00:00

Hi the solution for me was to update the client server with the same patches and also using your tip:
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel set to 0x00000000 and Reboot server.

Many thanks
Klein-Wiele, Jonathan 11 Reputation points

2021-10-18T05:49:12.17+00:00

Hi micaelc,

can you explain some more how you resolved it finally?
We are having same issues with 2019.

Do i get it right that you uninstalled the CU of September, then set the Regkey, then installed the small update kb5004442 and then again the CU and then it worked without errors?
Micael Carlsson 1 Reputation point

2021-10-18T06:42:51.057+00:00

Hi.

I didn't uninstalled the patch, the error was created from another server that wasn't updated with the latest windows patches, when I updated that server too the error in eventlog disapered. Before that i did the following:
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel set to 0x00000000 and Reboot server.

But that didn't solve the issue, installing all patches on the server that created the event did. I saw the ip-adr in the event so I knew what server that I needed to patch also.

Hope this answer helps you?

BR

Micael
Micael Carlsson 1 Reputation point

2021-10-18T06:52:45.833+00:00

This is the error that was created in the eventlog for me, I could see the ip-adr from where it come, I updated that server too with the latest patches and the error went away:

The server-side authentication level policy does not allow the user DOMAIN\useraccount SID (S-X-X-XX-XXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXX-XXXXXXX) from address XX.XX.XX.XX to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

BR

Micael
Klein-Wiele, Jonathan 11 Reputation points

2021-10-18T07:59:07.577+00:00

Ok thanks for your reply that makes sense but that doesn't work for any appliances like Firewalls (Checkpoint) which basically have no patch available. Any idea how to fix it with that kind of servers?
Micael Carlsson 1 Reputation point

2021-10-18T08:38:38.293+00:00

No sorry, the fix for us was only regarding Windows server 2016 and 2019.
Andy Wodarczyk 1 Reputation point

2021-10-19T04:13:27.32+00:00

Had this issue first appear for me at the beginning of 2021. Determined that this registry key on the client HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel was created and set to 1 (meaning no authentication) by an app. From what I read if the key is not present authentication requirements are connect (equal to a value of 2). I updated the registry key value to 2. Additionally we were also seeing the Windows 10 search bar on the client be non-functional (black box). That issue was also solved by updating the above key value. Note that connect (value of 2) does not appear to meet the requirements of the event viewer log which states packet integrity which should be 5, but none the less this did clear the error on the server and resolve the Win 10 search bar on the client.
Jason 1 Reputation point

2021-10-19T18:12:21.69+00:00

We are experiencing the same issue. Hard fail, no work-around. We are trying to remove the patch now.
Heonmin Lim 1 Reputation point

2021-10-22T22:18:07.953+00:00

Updating client Windows machines with a recent OS patche (10/12/2021 Update package) just resolved this problem. No registry hacks were needed.
Jason 1 Reputation point

2021-10-25T12:54:23.187+00:00

You may need to try a beta firmware. Our vendor happened to release a beta that patches this issue the same day we started seeing the problem.
Jason 1 Reputation point

2021-10-25T12:55:21.58+00:00

You may need to try a beta firmware. Our vendor happened to release a beta that patches this issue the same day we started seeing the problem.
Jason 1 Reputation point

2021-10-25T12:57:07.997+00:00

The issue is not so much of a problem if you have a Windows only environment, but if you have network devices that use AD or RADIUS, a Windows Update will not resolve the issue.

18 answers

Romain 1 Reputation point

2021-10-15T12:30:19.013+00:00

Hello all,

I have the same error on a Windows Server 2016.
KB5005573 & KB5005698 have been installed. I suppose the problem is with KB5005573.

Have you found a solution or a workaround to stop errors in the event logs (Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application)?

Thanks & regards,
Please sign in to rate this answer.
Micael Carlsson 1 Reputation point

2021-10-17T12:32:27.25+00:00

Hi I installed the same patches on the server that created the event, that solved the issues, so I guess have all your servers on the same patchlevel solves this?

yhchoi 1 Reputation point

2021-10-18T08:20:05.27+00:00

Hi micaelc,

what patches did you install?

Micael Carlsson 1 Reputation point

2021-10-18T08:41:44.913+00:00

These 2 on Windows 2016 Server:
2021-09 Servicing Stack Update for Windows Server 2016 for x64-based Systems (KB5005698)
2021-09 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5005573)

BR

Micael
Sign in to comment
Alexander Boes 1 Reputation point

2021-10-18T13:19:21.013+00:00

we have exactly the same.
Windows Terminal Server 2019 10.0.17763.2237
Office 365 E3 Build: 2102 16.0.13801.21004 32Bit

Ereignise in System:

Ereignis1:
The server-side authentication level policy does not allow the user AD\Administrator SID (S-1-5-21-3123687329-548211103-3594694034-500) from address 192.168.172.4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

Ereignis2:
Ein DCOM-Server konnte nicht gestartet werden: Microsoft.Windows.Cortana_1.11.6.17763_neutral_neutral_cw5n1h2txyewy!CortanaUI.AppXfbn8w4s0jbk3tjevpcn9kaxerc6rby8k.mca als Nicht verfügbar/Nicht verfügbar. Fehler:
"0"
Aufgetreten beim Start dieses Befehls:
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca

Ereignis3:
Ein DCOM-Server konnte nicht gestartet werden: Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy!Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider als Nicht verfügbar/Nicht verfügbar. Fehler:
"0"
Aufgetreten beim Start dieses Befehls:
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

Office 365 on the terminal server cannot be activated. Window is there, email address in, window disappears and comes back when Excel hangs up twice.

bin für jede Lösung offen
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Scott Owens 1 Reputation point

2021-10-29T15:33:53.757+00:00

I am also seeing this on Windows Server 2019 with Palo Alto User-ID. Is there a patch or fix from Microsoft on this?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Romain 1 Reputation point

2021-10-29T17:38:18.297+00:00
Hello all,

I am experiencing the same problem on Windows Server 2016 with this error message in the events logs (events 10036).
3 questions in order to fully understand the issue:

On the client side, is this an option to be changed at the system level or at the application level? Maybe both (KB deployment + application configuration to raise the authentication level)?

If change to be made at system level, do we have an option/workaround for a Windows XP client?

It is stated in this link that : To address the vulnerability described in CVE-2021-26414, you must install updates released June 8, 2021 or later and enable the registry key described below in your environment. We recommended that you complete testing in your environment and enable these hardening changes as soon as possible. If you find issues during testing, you must contact the vendor for the affected client or server software for an update or workaround before early 2022.
Does this mean that in early 2022, by default DCOM servers will apply the Authentication-Level d RPC_C_AUTHN_LEVEL_PKT_INTEGRITY? Will we have a way to prevent this activation if needed?

Thanks & regards
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
AzureGuineaPig 1 Reputation point

2021-11-03T19:01:54.95+00:00

Also happening on Server 2012R2 domain controller, after installing the October 2021 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5006714).

Setting the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel to 0x00000000 and restarting the server, also does not resolve the issue.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment