Get Live Help
Messages like the following are spamming the Event Viewer "System" logs in Windows servers:
The server-side authentication level policy does not allow the user DOMAIN\USERID SID (DOMAIN\USERID) from address to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
Microsoft's transition to a minimum of Packet Integrity for DCOM authentication (see June's KB5004442 on DCOM hardening and the DCOM issue described in CVE-2021-26414).
This issue is not exclusive to Foglight and has been experienced with numerous other third party software products accessing Domain Controllers with WMI.
As Microsoft released the patch for Windows 2019 early before other OSes. One scenario might be where the monitored host is 2019 and has the patch, but the FglAM or DC is on a different OS version without a comparable hotfix being available.
RESOLUTION 1 * For Windows FglAMs *
To resolve this issue, install the latest patches from Microsoft on the server that hosts the Foglight Agent Manager (the engine running data collections against the host).
Windows Updates should be been installed on all servers (FMS, FglAM, and the monitored host) especially the machine at the IP address printed in the Event Logs so that they are all on the same patch level.
RESOLUTION 2 * For Windows and Linux FglAMs *
Configure agent connections to use WinRM-http over Kerberos instead of WMI-DCOM.
If using WinRM, add the Foglight user to the Active Directory (AD) "Remote Management" groupFor additional information refer to section Configuring Windows Remote Management (WinRM) in the Foglight Agent Manager Guide.
Defect ID FOG-4830 has been fixed in the 6.3 and higher releases of the Foglight Agent Manager to address the authentication level of DCOM connections from Linux Foglight Agent Managers.
For more information please see Microsoft's Question thread 564347