Messages like the following are spamming the Event Viewer in Windows 2019 servers
The server-side authentication level policy does not allow the user DOMAIN\USERID SID (DOMAIN\USERID) from address
In Microsoft's transition to a minimum of Packet Integrity for DCOM authentication (see June's KB5004442 and the DCOM issue described in CVE-2021-26414), it would appear that, at least in Server 2019, this feature has been enabled prematurely (Supposed to be Q1 2022 based on the timeline in the KB5004442) and the described registry entry to temporarily bypass the DCOM update does not work (it is supposed to be valid all of 2022 after the feature is enabled).
This issue is not exclusive to Foglight and has been experienced with numerous other third party software products accessing Domain Controllers with WMI.
Numerous suggestions have been provided on the Internet for this issue however as of November 2, 2021 none have been consistently confirmed aside from rolling back the KB5004442 update from Microsoft.
As Microsoft released the patch for Windows 2019 early before other OSes. One scenario might be where the monitored host is 2019 and has the patch, but the FglAM or DC is on a different OS version without a comparable hotfix being available.
RESOLUTION 1 * Primary recommended resolution *
Rollback and uninstall the KB5004442 update from Microsoft
Deactivate the hardening changes via the registry (this is not a long-term solution) as described in Microsoft Knowledgebase article KB5004422 - Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
Configure the firewall to use WinRM-http over Kerberos.
If using WinRM, add the Foglight user to the Active Directory (AD) "Remote Management" group
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité