Field Notice: FN – 72466 – Identity Services Engine – Passive ID WMI Provider Fails After Windows Server KB500442 Installation – Configuration Change Recommended

Problem Description
Cisco Identity Services Engine (ISE) Passive Identity (Passive ID) services that use the Windows Management Instrumentation (WMI) provider will fail after Windows Server KB500442 or later is installed.

Background
The Distributed Component Object Model (DCOM) Remote Protocol is a protocol that is used in communication between the ISE Primary Passive ID node and the Domain Controller that shares the authentication events with ISE. Hardening changes in DCOM through Windows Server KB500442 or later were required to address vulnerability CVE-2021-26414. After the vulnerability is fixed, ISE will lack permissions to fetch the specific Kerberos events that are necessary for Passive ID services when the WMI provider is used.

Problem Symptom
After any Windows Server update that contains the fix for CVE-2021-26414 is installed, Passive ID services that use the WMI provider will fail. The domain controller side will display an error message similar to this:

Next error: “The server-side authentication level policy does not allow the user DOMAIN\username SID (S-X-X-X-X-X-X-X) from address xxx.xxx.xxx.xxx to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application”

This advisory can be found at the following link:
https://www.cisco.com/c/en/us/support/docs/field-notices/724/fn72466.html